CVS commit: src/sys/arch/i386/conf

2017-07-28 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat Jul 29 05:59:08 UTC 2017

Modified Files:
src/sys/arch/i386/conf: XEN3_DOM0 XEN3_DOMU

Log Message:
Disable COMPAT_386BSD_MBRPART on Xen - not enabled in GENERIC.


To generate a diff of this commit:
cvs rdiff -u -r1.114 -r1.115 src/sys/arch/i386/conf/XEN3_DOM0
cvs rdiff -u -r1.78 -r1.79 src/sys/arch/i386/conf/XEN3_DOMU

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/i386/conf/XEN3_DOM0
diff -u src/sys/arch/i386/conf/XEN3_DOM0:1.114 src/sys/arch/i386/conf/XEN3_DOM0:1.115
--- src/sys/arch/i386/conf/XEN3_DOM0:1.114	Fri Jul 28 14:13:13 2017
+++ src/sys/arch/i386/conf/XEN3_DOM0	Sat Jul 29 05:59:08 2017
@@ -1,4 +1,4 @@
-#	$NetBSD: XEN3_DOM0,v 1.114 2017/07/28 14:13:13 maxv Exp $
+#	$NetBSD: XEN3_DOM0,v 1.115 2017/07/29 05:59:08 maxv Exp $
 #
 #	XEN3_0: Xen 3.0 domain0 kernel
 
@@ -93,7 +93,7 @@ options 	COMPAT_40	# NetBSD 4.0,
 options 	COMPAT_50	# NetBSD 5.0,
 options 	COMPAT_60	# NetBSD 6.0, and
 options 	COMPAT_70	# NetBSD 7.0 binary compatibility.
-options 	COMPAT_386BSD_MBRPART # recognize old partition ID
+#options 	COMPAT_386BSD_MBRPART # recognize old partition ID
 #options 	TCP_COMPAT_42	# 4.2BSD TCP/IP bug compat. Not recommended.
 
 options 	COMPAT_OSSAUDIO	# OSS (Voxware) audio driver compatibility

Index: src/sys/arch/i386/conf/XEN3_DOMU
diff -u src/sys/arch/i386/conf/XEN3_DOMU:1.78 src/sys/arch/i386/conf/XEN3_DOMU:1.79
--- src/sys/arch/i386/conf/XEN3_DOMU:1.78	Fri Jul 28 14:13:13 2017
+++ src/sys/arch/i386/conf/XEN3_DOMU	Sat Jul 29 05:59:08 2017
@@ -1,4 +1,4 @@
-# $NetBSD: XEN3_DOMU,v 1.78 2017/07/28 14:13:13 maxv Exp $
+# $NetBSD: XEN3_DOMU,v 1.79 2017/07/29 05:59:08 maxv Exp $
 
 include 	"arch/xen/conf/std.xen"
 
@@ -77,7 +77,7 @@ options 	COMPAT_40	# NetBSD 4.0,
 options 	COMPAT_50	# NetBSD 5.0,
 options 	COMPAT_60	# NetBSD 6.0, and
 options 	COMPAT_70	# NetBSD 7.0 binary compatibility.
-options 	COMPAT_386BSD_MBRPART # recognize old partition ID
+#options 	COMPAT_386BSD_MBRPART # recognize old partition ID
 #options 	TCP_COMPAT_42	# 4.2BSD TCP/IP bug compat. Not recommended.
 
 options 	COMPAT_OSSAUDIO	# OSS (Voxware) audio driver compatibility

CVS commit: src/sys/dev

2017-07-28 Thread Tetsuya Isaki 
Module Name:src
Committed By:   isaki
Date:   Sat Jul 29 05:55:58 UTC 2017

Modified Files:
src/sys/dev: audio.c

Log Message:
const-ify.


To generate a diff of this commit:
cvs rdiff -u -r1.376 -r1.377 src/sys/dev/audio.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/audio.c
diff -u src/sys/dev/audio.c:1.376 src/sys/dev/audio.c:1.377
--- src/sys/dev/audio.c:1.376	Sat Jul 29 03:05:51 2017
+++ src/sys/dev/audio.c	Sat Jul 29 05:55:58 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: audio.c,v 1.376 2017/07/29 03:05:51 isaki Exp $	*/
+/*	$NetBSD: audio.c,v 1.377 2017/07/29 05:55:58 isaki Exp $	*/
 
 /*-
  * Copyright (c) 2016 Nathanial Sloss 
@@ -148,7 +148,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.376 2017/07/29 03:05:51 isaki Exp $");
+__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.377 2017/07/29 05:55:58 isaki Exp $");
 
 #ifdef _KERNEL_OPT
 #include "audio.h"
@@ -272,7 +272,7 @@ int	mix_read(void *);
 int	audio_check_params(struct audio_params *);
 
 void	audio_calc_blksize(struct audio_softc *, int, struct virtual_channel *);
-void	audio_fill_silence(struct audio_params *, uint8_t *, int);
+void	audio_fill_silence(const struct audio_params *, uint8_t *, int);
 int	audio_silence_copyout(struct audio_softc *, int, struct uio *);
 
 void	audio_init_ringbuffer(struct audio_softc *,
@@ -384,7 +384,7 @@ static int
 static int audio_set_params (struct audio_softc *, int, int,
 		 audio_params_t *, audio_params_t *,
 		 stream_filter_list_t *, stream_filter_list_t *,
-		 struct virtual_channel *);
+		 const struct virtual_channel *);
 static int
 audio_query_encoding(struct audio_softc *, struct audio_encoding *);
 static int audio_set_vchan_defaults(struct audio_softc *, u_int);
@@ -2681,7 +2681,7 @@ audio_calc_blksize(struct audio_softc *s
 }
 
 void
-audio_fill_silence(struct audio_params *params, uint8_t *p, int n)
+audio_fill_silence(const struct audio_params *params, uint8_t *p, int n)
 {
 	uint8_t auzero0, auzero1;
 	int nfill;
@@ -5824,7 +5824,7 @@ static int
 audio_set_params(struct audio_softc *sc, int setmode, int usemode,
 		 audio_params_t *play, audio_params_t *rec,
 		 stream_filter_list_t *pfil, stream_filter_list_t *rfil,
-		 struct virtual_channel *vc)
+		 const struct virtual_channel *vc)
 {
 	struct audio_chan *chan;

CVS commit: src/sys/netinet

2017-07-28 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat Jul 29 05:48:16 UTC 2017

Modified Files:
src/sys/netinet: files.netinet

Log Message:
Remove TCP_COMPAT_42.


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 src/sys/netinet/files.netinet

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet/files.netinet
diff -u src/sys/netinet/files.netinet:1.27 src/sys/netinet/files.netinet:1.28
--- src/sys/netinet/files.netinet:1.27	Tue Oct 13 21:28:35 2015
+++ src/sys/netinet/files.netinet	Sat Jul 29 05:48:16 2017
@@ -1,4 +1,4 @@
-#	$NetBSD: files.netinet,v 1.27 2015/10/13 21:28:35 rjs Exp $
+#	$NetBSD: files.netinet,v 1.28 2017/07/29 05:48:16 maxv Exp $
 
 defflag opt_tcp_debug.h		TCP_DEBUG
 defparam opt_tcp_debug.h	TCP_NDEBUG
@@ -8,7 +8,6 @@ defparam opt_inet_conf.h	SUBNETSARELOCAL
 
 defflagMROUTING
 defflagPIM
-defflagTCP_COMPAT_42
 
 defparam opt_tcp_space.h	TCP_RECVSPACE TCP_SENDSPACE

CVS commit: src/share/man/man4

2017-07-28 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat Jul 29 05:46:29 UTC 2017

Modified Files:
src/share/man/man4: options.4

Log Message:
Remove TCP_COMPAT_42.


To generate a diff of this commit:
cvs rdiff -u -r1.467 -r1.468 src/share/man/man4/options.4

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/share/man/man4/options.4
diff -u src/share/man/man4/options.4:1.467 src/share/man/man4/options.4:1.468
--- src/share/man/man4/options.4:1.467	Mon Jul  3 21:30:58 2017
+++ src/share/man/man4/options.4	Sat Jul 29 05:46:29 2017
@@ -1,4 +1,4 @@
-.\"	$NetBSD: options.4,v 1.467 2017/07/03 21:30:58 wiz Exp $
+.\"	$NetBSD: options.4,v 1.468 2017/07/29 05:46:29 maxv Exp $
 .\"
 .\" Copyright (c) 1996
 .\" 	Perry E. Metzger.  All rights reserved.
@@ -30,7 +30,7 @@
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\"
-.Dd March 9, 2017
+.Dd July 29, 2017
 .Dt OPTIONS 4
 .Os
 .Sh NAME
@@ -2012,21 +2012,6 @@ This can be useful if there is a desire 
 privileges to bind those ports, e.g., on firewalls.
 The security tradeoffs in doing this are subtle.
 This option should only be used by experts.
-.It Cd options TCP_COMPAT_42
-.Tn TCP
-bug compatibility with
-.Bx 4.2 .
-In
-.Bx 4.2 ,
-.Tn TCP
-sequence numbers were 32-bit signed values.
-Modern implementations of TCP use unsigned values.
-This option clamps the initial sequence number to start in
-the range 2^31 rather than the full unsigned range of 2^32.
-Also, under
-.Bx 4.2 ,
-keepalive packets must contain at least one byte or else
-the remote end would not respond.
 .It Cd options TCP_DEBUG
 Record the last
 .Em TCP_NDEBUG

CVS commit: src/sys/netinet

2017-07-28 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat Jul 29 05:08:48 UTC 2017

Modified Files:
src/sys/netinet: tcp_subr.c

Log Message:
Forgot to commit this file yesterday.


To generate a diff of this commit:
cvs rdiff -u -r1.270 -r1.271 src/sys/netinet/tcp_subr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet/tcp_subr.c
diff -u src/sys/netinet/tcp_subr.c:1.270 src/sys/netinet/tcp_subr.c:1.271
--- src/sys/netinet/tcp_subr.c:1.270	Fri Mar  3 07:13:06 2017
+++ src/sys/netinet/tcp_subr.c	Sat Jul 29 05:08:48 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_subr.c,v 1.270 2017/03/03 07:13:06 ozaki-r Exp $	*/
+/*	$NetBSD: tcp_subr.c,v 1.271 2017/07/29 05:08:48 maxv Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,12 +91,11 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: tcp_subr.c,v 1.270 2017/03/03 07:13:06 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_subr.c,v 1.271 2017/07/29 05:08:48 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
 #include "opt_ipsec.h"
-#include "opt_tcp_compat_42.h"
 #include "opt_inet_csum.h"
 #include "opt_mbuftrace.h"
 #endif
@@ -201,11 +200,6 @@ int tcp_init_win_max[] = {
 int	tcp_init_win = TCP_INIT_WIN;
 int	tcp_init_win_local = TCP_INIT_WIN_LOCAL;
 int	tcp_mss_ifmtu = 0;
-#ifdef TCP_COMPAT_42
-int	tcp_compat_42 = 1;
-#else
-int	tcp_compat_42 = 0;
-#endif
 int	tcp_rst_ppslim = 100;	/* 100pps */
 int	tcp_ackdrop_ppslim = 100;	/* 100pps */
 int	tcp_do_loopback_cksum = 0;
@@ -702,10 +696,7 @@ tcp_respond(struct tcpcb *tp, struct mbu
 		if (m == NULL)
 			return (ENOBUFS);
 
-		if (tcp_compat_42)
-			tlen = 1;
-		else
-			tlen = 0;
+		tlen = 0;
 
 		m->m_data += max_linkhdr;
 		bcopy(mtod(mtemplate, void *), mtod(m, void *),
@@ -2347,16 +2338,6 @@ tcp_new_iss1(void *laddr, void *faddr, u
 		}
 	}
 
-	if (tcp_compat_42) {
-		/*
-		 * Limit it to the positive range for really old TCP
-		 * implementations.
-		 * Just AND off the top bit instead of checking if
-		 * is set first - saves a branch 50% of the time.
-		 */
-		tcp_iss &= 0x7fff;		/* XXX */
-	}
-
 	return (tcp_iss);
 }

CVS commit: src/sys/compat/common

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Sat Jul 29 04:08:47 UTC 2017

Modified Files:
src/sys/compat/common: if_43.c

Log Message:
Kill needless nested extern of vec_compat_cvtcmd/ioctl.

Already declared in if_43.h.


To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 src/sys/compat/common/if_43.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/common/if_43.c
diff -u src/sys/compat/common/if_43.c:1.13 src/sys/compat/common/if_43.c:1.14
--- src/sys/compat/common/if_43.c:1.13	Sat Nov  5 23:30:22 2016
+++ src/sys/compat/common/if_43.c	Sat Jul 29 04:08:47 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_43.c,v 1.13 2016/11/05 23:30:22 pgoyette Exp $	*/
+/*	$NetBSD: if_43.c,v 1.14 2017/07/29 04:08:47 riastradh Exp $	*/
 
 /*
  * Copyright (c) 1982, 1986, 1989, 1990, 1993
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_43.c,v 1.13 2016/11/05 23:30:22 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_43.c,v 1.14 2017/07/29 04:08:47 riastradh Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -289,9 +289,6 @@ static int (*orig_compat_ifioctl)(struct
 void
 if_43_init(void)
 {
-	extern u_long (*vec_compat_cvtcmd)(u_long);
-	extern int (*vec_compat_ifioctl)(struct socket *, u_long, u_long,
-	void *, struct lwp *);
 
 	orig_compat_cvtcmd = vec_compat_cvtcmd;
 	vec_compat_cvtcmd = compat_cvtcmd;

CVS commit: src/sys

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Sat Jul 29 04:02:49 UTC 2017

Modified Files:
src/sys/compat/common: vfs_syscalls_43.c
src/sys/sys: vfs_syscalls.h

Log Message:
Declare mountcompatnames in sys/vfs_syscalls.h to kill nested extern.


To generate a diff of this commit:
cvs rdiff -u -r1.60 -r1.61 src/sys/compat/common/vfs_syscalls_43.c
cvs rdiff -u -r1.22 -r1.23 src/sys/sys/vfs_syscalls.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/common/vfs_syscalls_43.c
diff -u src/sys/compat/common/vfs_syscalls_43.c:1.60 src/sys/compat/common/vfs_syscalls_43.c:1.61
--- src/sys/compat/common/vfs_syscalls_43.c:1.60	Fri Jul 28 15:34:06 2017
+++ src/sys/compat/common/vfs_syscalls_43.c	Sat Jul 29 04:02:49 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_43.c,v 1.60 2017/07/28 15:34:06 riastradh Exp $	*/
+/*	$NetBSD: vfs_syscalls_43.c,v 1.61 2017/07/29 04:02:49 riastradh Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.60 2017/07/28 15:34:06 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.61 2017/07/29 04:02:49 riastradh Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -524,8 +524,6 @@ static int
 sysctl_vfs_generic_conf(SYSCTLFN_ARGS)
 {
 struct vfsconf vfc;
-extern const char * const mountcompatnames[];
-extern int nmountcompatnames;
 	struct sysctlnode node;
 	struct vfsops *vfsp;
 	u_int vfsnum;
@@ -560,7 +558,6 @@ sysctl_vfs_generic_conf(SYSCTLFN_ARGS)
 void
 compat_sysctl_vfs(struct sysctllog **clog)
 {
-	extern int nmountcompatnames;
 
 	sysctl_createv(clog, 0, NULL, NULL,
 		   CTLFLAG_PERMANENT|CTLFLAG_IMMEDIATE,

Index: src/sys/sys/vfs_syscalls.h
diff -u src/sys/sys/vfs_syscalls.h:1.22 src/sys/sys/vfs_syscalls.h:1.23
--- src/sys/sys/vfs_syscalls.h:1.22	Sat Jan 25 02:28:31 2014
+++ src/sys/sys/vfs_syscalls.h	Sat Jul 29 04:02:49 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_syscalls.h,v 1.22 2014/01/25 02:28:31 christos Exp $*/
+/* $NetBSD: vfs_syscalls.h,v 1.23 2017/07/29 04:02:49 riastradh Exp $*/
 
 /*
  * Copyright (c) 2007, 2008, 2009 The NetBSD Foundation, Inc.
@@ -83,4 +83,7 @@ void	do_sys_sync(struct lwp *);
 int	chdir_lookup(const char *, int, struct vnode **, struct lwp *);
 void	change_root(struct cwdinfo *, struct vnode *, struct lwp *);
 
+extern const char *const mountcompatnames[];
+extern const int nmountcompatnames;
+
 #endif /* _SYS_VFS_SYSCALLS_H_ */

CVS commit: src/sys/dev/sbus

2017-07-28 Thread Michael Lorenz 
Module Name:src
Committed By:   macallan
Date:   Sat Jul 29 03:32:00 UTC 2017

Modified Files:
src/sys/dev/sbus: mgx.c

Log Message:
make comment match code...


To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/sys/dev/sbus/mgx.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/sbus/mgx.c
diff -u src/sys/dev/sbus/mgx.c:1.10 src/sys/dev/sbus/mgx.c:1.11
--- src/sys/dev/sbus/mgx.c:1.10	Sat Jul 29 03:29:49 2017
+++ src/sys/dev/sbus/mgx.c	Sat Jul 29 03:32:00 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: mgx.c,v 1.10 2017/07/29 03:29:49 macallan Exp $ */
+/*	$NetBSD: mgx.c,v 1.11 2017/07/29 03:32:00 macallan Exp $ */
 
 /*-
  * Copyright (c) 2014 Michael Lorenz
@@ -29,7 +29,7 @@
 /* a console driver for the SSB 4096V-MGX graphics card */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: mgx.c,v 1.10 2017/07/29 03:29:49 macallan Exp $");
+__KERNEL_RCSID(0, "$NetBSD: mgx.c,v 1.11 2017/07/29 03:32:00 macallan Exp $");
 
 #include 
 #include 
@@ -752,7 +752,7 @@ mgx_putchar_mono(void *cookie, int row, 
 	struct vcons_screen *scr = ri->ri_hw;
 	struct mgx_softc *sc = scr->scr_cookie;
 	void *s, *d;
-	uint32_t fg, bg, scratch = (sc->sc_stride * sc->sc_height + 31) & ~31;
+	uint32_t fg, bg, scratch = (sc->sc_stride * sc->sc_height + 7) & ~7;
 	int x, y, wi, he;
 
 	wi = font->fontwidth;
@@ -785,7 +785,7 @@ mgx_putchar_mono(void *cookie, int row, 
 	 * bitmaps need at least 16bit.
 	 */
 	sc->sc_buf = (sc->sc_buf + 1) & 3; /* rotate through 4 buffers */
-	scratch += sc->sc_buf * ((ri->ri_fontscale + 31) & ~31);
+	scratch += sc->sc_buf * ((ri->ri_fontscale + 7) & ~7);
 	s = WSFONT_GLYPH(c, font);
 	d = (uint8_t *)sc->sc_fbaddr + scratch;
 	memcpy(d, s, ri->ri_fontscale);

CVS commit: src/sys/dev/sbus

2017-07-28 Thread Michael Lorenz 
Module Name:src
Committed By:   macallan
Date:   Sat Jul 29 03:29:49 UTC 2017

Modified Files:
src/sys/dev/sbus: mgx.c mgxreg.h

Log Message:
- use hardware to draw bitmap fonts
- while there enable font loading etc.


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 src/sys/dev/sbus/mgx.c
cvs rdiff -u -r1.4 -r1.5 src/sys/dev/sbus/mgxreg.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/sbus/mgx.c
diff -u src/sys/dev/sbus/mgx.c:1.9 src/sys/dev/sbus/mgx.c:1.10
--- src/sys/dev/sbus/mgx.c:1.9	Sat May  7 15:32:08 2016
+++ src/sys/dev/sbus/mgx.c	Sat Jul 29 03:29:49 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: mgx.c,v 1.9 2016/05/07 15:32:08 macallan Exp $ */
+/*	$NetBSD: mgx.c,v 1.10 2017/07/29 03:29:49 macallan Exp $ */
 
 /*-
  * Copyright (c) 2014 Michael Lorenz
@@ -29,7 +29,7 @@
 /* a console driver for the SSB 4096V-MGX graphics card */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: mgx.c,v 1.9 2016/05/07 15:32:08 macallan Exp $");
+__KERNEL_RCSID(0, "$NetBSD: mgx.c,v 1.10 2017/07/29 03:29:49 macallan Exp $");
 
 #include 
 #include 
@@ -39,6 +39,7 @@ __KERNEL_RCSID(0, "$NetBSD: mgx.c,v 1.9 
 #include 
 #include 
 #include 
+#include 
 
 #include 
 #include 
@@ -85,7 +86,7 @@ struct mgx_softc {
 	u_char		sc_cmap_blue[256];
 	int		sc_cursor_x, sc_cursor_y;
 	int		sc_hotspot_x, sc_hotspot_y;
-	int		sc_video;
+	int		sc_video, sc_buf;
 	void (*sc_putchar)(void *, int, int, u_int, long);
 	struct vcons_screen sc_console_screen;
 	struct wsscreen_descr sc_defaultscreen_descr;
@@ -114,7 +115,8 @@ static int	mgx_wait_fifo(struct mgx_soft
 static void	mgx_bitblt(void *, int, int, int, int, int, int, int);
 static void 	mgx_rectfill(void *, int, int, int, int, long);
 
-static void	mgx_putchar(void *, int, int, u_int, long);
+static void	mgx_putchar_aa(void *, int, int, u_int, long);
+static void	mgx_putchar_mono(void *, int, int, u_int, long);
 static void	mgx_cursor(void *, int, int, int);
 static void	mgx_copycols(void *, int, int, int, int);
 static void	mgx_erasecols(void *, int, int, int, long);
@@ -295,7 +297,8 @@ mgx_attach(device_t parent, device_t sel
 		0, 0,
 		NULL,
 		8, 16,
-		WSSCREEN_WSCOLORS | WSSCREEN_HILIT,
+		WSSCREEN_WSCOLORS | WSSCREEN_HILIT | WSSCREEN_UNDERLINE |
+		WSSCREEN_RESIZE,
 		NULL
 	};
 	
@@ -315,6 +318,8 @@ mgx_attach(device_t parent, device_t sel
 
 	vcons_init(>vd, sc, >sc_defaultscreen_descr, _accessops);
 	sc->vd.init_screen = mgx_init_screen;
+	sc->vd.show_screen_cookie = >sc_gc;
+	sc->vd.show_screen_cb = glyphcache_adapt;
 
 	vcons_init_screen(>vd, >sc_console_screen, 1, );
 	sc->sc_console_screen.scr_flags |= VCONS_SCREEN_IS_STATIC;
@@ -331,6 +336,10 @@ mgx_attach(device_t parent, device_t sel
 	sc->sc_gc.gc_blitcookie = sc;
 	sc->sc_gc.gc_rop = ROP_SRC;
 
+	/* 
+	 * leave some room between visible screen and glyph cache for upload
+	 * buffers used by putchar_mono()
+	 */
 	glyphcache_init(>sc_gc,
 	sc->sc_height + 5,
 	(0x40 / sc->sc_stride) - sc->sc_height - 5,
@@ -535,6 +544,7 @@ mgx_setup(struct mgx_softc *sc, int dept
 	if (mgx_wait_fifo(sc, FIFO_AT24) == 0)
 		return;
 
+	sc->sc_buf = 0;
 	/* read name from sequencer */
 	for (i = 0; i < 8; i++) {
 		mgx_write_vga(sc, SEQ_INDEX, i + 0x11);
@@ -597,9 +607,12 @@ mgx_setup(struct mgx_softc *sc, int dept
 		default:
 			return; /* not supported */
 	}
+	mgx_wait_fifo(sc, 4);
 	mgx_write_1(sc, ATR_CLIP_CONTROL, 0);
 	mgx_write_1(sc, ATR_BYTEMASK, 0xff);
 	mgx_write_1(sc, ATR_PIXEL, reg);
+	mgx_write_4(sc, ATR_OFFSET, 0);
+	mgx_wait_fifo(sc, 4);
 	mgx_write_vga(sc, CRTC_INDEX, 0x13);
 	mgx_write_vga(sc, CRTC_DATA, stride & 0xff);
 	mgx_write_vga(sc, CRTC_INDEX, 0x1c);
@@ -609,6 +622,7 @@ mgx_setup(struct mgx_softc *sc, int dept
 	if (depth != MGX_DEPTH) 
 		mgx_rectfill(sc, 0, 0, sc->sc_width, sc->sc_height, 0);	
 
+	mgx_wait_fifo(sc, 4);
 	/* initialize hardware cursor stuff */
 	mgx_write_2(sc, ATR_CURSOR_ADDRESS, (sc->sc_fbsize - 1024) >> 10);
 	mgx_write_1(sc, ATR_CURSOR_ENABLE, 0);
@@ -685,7 +699,7 @@ mgx_rectfill(void *cookie, int x, int y,
 }
 
 static void
-mgx_putchar(void *cookie, int row, int col, u_int c, long attr)
+mgx_putchar_aa(void *cookie, int row, int col, u_int c, long attr)
 {
 	struct rasops_info *ri = cookie;
 	struct wsdisplay_font *font = PICK_FONT(ri, c);
@@ -709,6 +723,7 @@ mgx_putchar(void *cookie, int row, int c
 			mgx_rectfill(sc, x, y + he - 2, wi, 1, fg);
 		return;
 	}
+
 	rv = glyphcache_try(>sc_gc, c, x, y, attr);
 	if (rv != GC_OK) {
 		volatile uint32_t junk;
@@ -730,6 +745,74 @@ mgx_putchar(void *cookie, int row, int c
 }
 
 static void
+mgx_putchar_mono(void *cookie, int row, int col, u_int c, long attr)
+{
+	struct rasops_info *ri = cookie;
+	struct wsdisplay_font *font = PICK_FONT(ri, c);
+	struct vcons_screen *scr = ri->ri_hw;
+	struct mgx_softc *sc = scr->scr_cookie;
+	void *s, *d;
+	uint32_t fg, bg, scratch = (sc->sc_stride * sc->sc_height + 31) & ~31;

CVS commit: src/sys/dev

2017-07-28 Thread Tetsuya Isaki 
Module Name:src
Committed By:   isaki
Date:   Sat Jul 29 03:05:51 UTC 2017

Modified Files:
src/sys/dev: audio.c audiovar.h

Log Message:
Improve audio_set_vchan_defaults().
- Correct confused input/output parameters.
- Remove sc->{sc_channels, sc_precision, sc_frequency}.  They are
  the same as sc->sc_vchan_params.{channels, precision, sample_rate}.
The input parameter of audio_set_vchan_defaults() is now only
sc->sc_vchan_params.

Fix PR kern/52437


To generate a diff of this commit:
cvs rdiff -u -r1.375 -r1.376 src/sys/dev/audio.c
cvs rdiff -u -r1.58 -r1.59 src/sys/dev/audiovar.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/audio.c
diff -u src/sys/dev/audio.c:1.375 src/sys/dev/audio.c:1.376
--- src/sys/dev/audio.c:1.375	Fri Jul 28 03:58:54 2017
+++ src/sys/dev/audio.c	Sat Jul 29 03:05:51 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: audio.c,v 1.375 2017/07/28 03:58:54 nat Exp $	*/
+/*	$NetBSD: audio.c,v 1.376 2017/07/29 03:05:51 isaki Exp $	*/
 
 /*-
  * Copyright (c) 2016 Nathanial Sloss 
@@ -148,7 +148,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.375 2017/07/28 03:58:54 nat Exp $");
+__KERNEL_RCSID(0, "$NetBSD: audio.c,v 1.376 2017/07/29 03:05:51 isaki Exp $");
 
 #ifdef _KERNEL_OPT
 #include "audio.h"
@@ -387,8 +387,7 @@ static int audio_set_params (struct audi
 		 struct virtual_channel *);
 static int
 audio_query_encoding(struct audio_softc *, struct audio_encoding *);
-static int audio_set_vchan_defaults
-	(struct audio_softc *, u_int, const struct audio_format *);
+static int audio_set_vchan_defaults(struct audio_softc *, u_int);
 static int vchan_autoconfig(struct audio_softc *);
 int	au_get_lr_value(struct audio_softc *, mixer_ctrl_t *, int *, int *);
 int	au_set_lr_value(struct audio_softc *, mixer_ctrl_t *, int, int);
@@ -509,16 +508,6 @@ audioattach(device_t parent, device_t se
  	sc->sc_format[0].frequency_type = 1;
  	sc->sc_format[0].frequency[0] = 44100;
 
-	sc->sc_vchan_params.sample_rate = 44100;
-#if BYTE_ORDER == LITTLE_ENDIAN
-	sc->sc_vchan_params.encoding = AUDIO_ENCODING_SLINEAR_LE;
-#else
-	sc->sc_vchan_params.encoding = AUDIO_ENCODING_SLINEAR_BE;
-#endif
-	sc->sc_vchan_params.precision = 16;
-	sc->sc_vchan_params.validbits = 16;
-	sc->sc_vchan_params.channels = 2;
-
 	sc->sc_trigger_started = false;
 	sc->sc_rec_started = false;
 	sc->sc_dying = false;
@@ -535,9 +524,6 @@ audioattach(device_t parent, device_t se
 	vc->sc_lastinfovalid = false;
 	vc->sc_swvol = 255;
 	vc->sc_recswvol = 255;
-	sc->sc_frequency = 44100;
-	sc->sc_precision = 16;
-	sc->sc_channels = 2;
 
 	if (auconv_create_encodings(sc->sc_format, VAUDIO_NFORMATS,
 	>sc_encodings) != 0) {
@@ -4138,9 +4124,11 @@ audio_check_params(struct audio_params *
 	return 0;
 }
 
+/*
+ * set some parameters from sc->sc_vchan_params.
+ */
 static int
-audio_set_vchan_defaults(struct audio_softc *sc, u_int mode,
- const struct audio_format *format)
+audio_set_vchan_defaults(struct audio_softc *sc, u_int mode)
 {
 	struct audio_chan *chan;
 	struct virtual_channel *vc;
@@ -4154,38 +4142,30 @@ audio_set_vchan_defaults(struct audio_so
 		return EINVAL;
 	vc = chan->vc;
 
-	sc->sc_vchan_params.sample_rate = sc->sc_frequency;
-#if BYTE_ORDER == LITTLE_ENDIAN
-	sc->sc_vchan_params.encoding = AUDIO_ENCODING_SLINEAR_LE;
-#else
-	sc->sc_vchan_params.encoding = AUDIO_ENCODING_SLINEAR_BE;
-#endif
-	sc->sc_vchan_params.precision = sc->sc_precision;
-	sc->sc_vchan_params.validbits = sc->sc_precision;
-	sc->sc_vchan_params.channels = sc->sc_channels;
-
 	/* default parameters */
 	vc->sc_rparams = sc->sc_vchan_params;
 	vc->sc_pparams = sc->sc_vchan_params;
 	vc->sc_blkset = false;
 
 	AUDIO_INITINFO();
-	ai.record.sample_rate = sc->sc_frequency;
-	ai.record.encoding= format->encoding;
-	ai.record.channels= sc->sc_channels;
-	ai.record.precision   = sc->sc_precision;
+	ai.record.sample_rate = sc->sc_vchan_params.sample_rate;
+	ai.record.encoding= sc->sc_vchan_params.encoding;
+	ai.record.channels= sc->sc_vchan_params.channels;
+	ai.record.precision   = sc->sc_vchan_params.precision;
 	ai.record.pause	  = false;
-	ai.play.sample_rate   = sc->sc_frequency;
-	ai.play.encoding  = format->encoding;
-	ai.play.channels  = sc->sc_channels;
-	ai.play.precision = sc->sc_precision;
+	ai.play.sample_rate   = sc->sc_vchan_params.sample_rate;
+	ai.play.encoding  = sc->sc_vchan_params.encoding;
+	ai.play.channels  = sc->sc_vchan_params.channels;
+	ai.play.precision = sc->sc_vchan_params.precision;
 	ai.play.pause = false;
 	ai.mode		  = mode;
 
-	sc->sc_format[0].channels = sc->sc_channels;
-	sc->sc_format[0].precision = sc->sc_precision;
-	sc->sc_format[0].validbits = sc->sc_precision;
-	sc->sc_format[0].frequency[0] = sc->sc_frequency;
+	sc->sc_format[0].encoding = sc->sc_vchan_params.encoding;
+	sc->sc_format[0].channels =

CVS commit: src/sys/compat/linux/common

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Sat Jul 29 02:31:22 UTC 2017

Modified Files:
src/sys/compat/linux/common: linux_time.c

Log Message:
Put suser check in the right function: settimeofday, not gettimeofday.

While here, remove wrong comment.

Noted by kre@.


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/sys/compat/linux/common/linux_time.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/linux/common/linux_time.c
diff -u src/sys/compat/linux/common/linux_time.c:1.38 src/sys/compat/linux/common/linux_time.c:1.39
--- src/sys/compat/linux/common/linux_time.c:1.38	Sat Jul 29 01:14:59 2017
+++ src/sys/compat/linux/common/linux_time.c	Sat Jul 29 02:31:22 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_time.c,v 1.38 2017/07/29 01:14:59 riastradh Exp $ */
+/*	$NetBSD: linux_time.c,v 1.39 2017/07/29 02:31:22 riastradh Exp $ */
 
 /*-
  * Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.38 2017/07/29 01:14:59 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.39 2017/07/29 02:31:22 riastradh Exp $");
 
 #include 
 #include 
@@ -79,9 +79,6 @@ linux_sys_gettimeofday(struct lwp *l, co
 	}
 
 	if (SCARG(uap, tzp)) {
-		if (kauth_authorize_generic(kauth_cred_get(),
-			KAUTH_GENERIC_ISSUSER, NULL) != 0)
-			return (EPERM);
 		error = copyout(_sys_tz, SCARG(uap, tzp), sizeof(linux_sys_tz));
 		if (error)
 			return (error);
@@ -105,11 +102,10 @@ linux_sys_settimeofday(struct lwp *l, co
 			return (error);
 	}
 
-	/*
-	 * If user is not the superuser, we returned
-	 * after the sys_settimeofday() call.
-	 */
 	if (SCARG(uap, tzp)) {
+		if (kauth_authorize_generic(kauth_cred_get(),
+			KAUTH_GENERIC_ISSUSER, NULL) != 0)
+			return (EPERM);
 		error = copyin(SCARG(uap, tzp), _sys_tz, sizeof(linux_sys_tz));
 		if (error)
 			return (error);

CVS commit: src/sys/arch/newsmips/apbus

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Sat Jul 29 02:21:30 UTC 2017

Modified Files:
src/sys/arch/newsmips/apbus: if_sn.c

Log Message:
Avoid memory leak in sonic_get.

If this is the first time around, top is null and nothing else will
free m.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/sys/arch/newsmips/apbus/if_sn.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/newsmips/apbus/if_sn.c
diff -u src/sys/arch/newsmips/apbus/if_sn.c:1.38 src/sys/arch/newsmips/apbus/if_sn.c:1.39
--- src/sys/arch/newsmips/apbus/if_sn.c:1.38	Wed Feb 22 09:45:16 2017
+++ src/sys/arch/newsmips/apbus/if_sn.c	Sat Jul 29 02:21:30 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_sn.c,v 1.38 2017/02/22 09:45:16 nonaka Exp $	*/
+/*	$NetBSD: if_sn.c,v 1.39 2017/07/29 02:21:30 riastradh Exp $	*/
 
 /*
  * National Semiconductor  DP8393X SONIC Driver
@@ -16,7 +16,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_sn.c,v 1.38 2017/02/22 09:45:16 nonaka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_sn.c,v 1.39 2017/07/29 02:21:30 riastradh Exp $");
 
 #include "opt_inet.h"
 
@@ -1090,7 +1090,10 @@ sonic_get(struct sn_softc *sc, void *pkt
 		if (datalen >= MINCLSIZE) {
 			MCLGET(m, M_DONTWAIT);
 			if ((m->m_flags & M_EXT) == 0) {
-if (top) m_freem(top);
+if (top)
+	m_freem(top);
+else
+	m_freem(m);
 return 0;
 			}
 			len = MCLBYTES;

CVS commit: src/sys/arch/mac68k/nubus

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Sat Jul 29 02:17:44 UTC 2017

Modified Files:
src/sys/arch/mac68k/nubus: if_netdock_nubus.c

Log Message:
Avoid memory leak in netdock_get.

If top is null, this is the first time through and nothing else will
free m.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 src/sys/arch/mac68k/nubus/if_netdock_nubus.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/mac68k/nubus/if_netdock_nubus.c
diff -u src/sys/arch/mac68k/nubus/if_netdock_nubus.c:1.25 src/sys/arch/mac68k/nubus/if_netdock_nubus.c:1.26
--- src/sys/arch/mac68k/nubus/if_netdock_nubus.c:1.25	Thu Dec 15 09:28:03 2016
+++ src/sys/arch/mac68k/nubus/if_netdock_nubus.c	Sat Jul 29 02:17:44 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_netdock_nubus.c,v 1.25 2016/12/15 09:28:03 ozaki-r Exp $	*/
+/*	$NetBSD: if_netdock_nubus.c,v 1.26 2017/07/29 02:17:44 riastradh Exp $	*/
 
 /*
  * Copyright (C) 2000,2002 Daishi Kato 
@@ -43,7 +43,7 @@
 /***/
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_netdock_nubus.c,v 1.25 2016/12/15 09:28:03 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_netdock_nubus.c,v 1.26 2017/07/29 02:17:44 riastradh Exp $");
 
 #include 
 #include 
@@ -802,6 +802,8 @@ netdock_get(struct netdock_softc *sc, in
 			if ((m->m_flags & M_EXT) == 0) {
 if (top)
 	m_freem(top);
+else
+	m_freem(m);
 return (NULL);
 			}
 			len = MCLBYTES;

CVS commit: src/sys/dev/pci

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Sat Jul 29 01:54:56 UTC 2017

Modified Files:
src/sys/dev/pci: if_ipw.c

Log Message:
Null out sbuf->m on failure to avoid double-free later.

>From Ilja Van Sprundel.

Also null out sbuf->map out of paranoia.


To generate a diff of this commit:
cvs rdiff -u -r1.64 -r1.65 src/sys/dev/pci/if_ipw.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/pci/if_ipw.c
diff -u src/sys/dev/pci/if_ipw.c:1.64 src/sys/dev/pci/if_ipw.c:1.65
--- src/sys/dev/pci/if_ipw.c:1.64	Tue May 23 02:19:14 2017
+++ src/sys/dev/pci/if_ipw.c	Sat Jul 29 01:54:56 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ipw.c,v 1.64 2017/05/23 02:19:14 ozaki-r Exp $	*/
+/*	$NetBSD: if_ipw.c,v 1.65 2017/07/29 01:54:56 riastradh Exp $	*/
 /*	FreeBSD: src/sys/dev/ipw/if_ipw.c,v 1.15 2005/11/13 17:17:40 damien Exp 	*/
 
 /*-
@@ -29,7 +29,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.64 2017/05/23 02:19:14 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.65 2017/07/29 01:54:56 riastradh Exp $");
 
 /*-
  * Intel(R) PRO/Wireless 2100 MiniPCI driver
@@ -607,6 +607,7 @@ ipw_dma_alloc(struct ipw_softc *sc)
 		MCLGET(sbuf->m, M_DONTWAIT);
 		if (!(sbuf->m->m_flags & M_EXT)) {
 			m_freem(sbuf->m);
+			sbuf->m = NULL;
 			aprint_error_dev(sc->sc_dev, "could not allocate rx mbuf cluster\n");
 			error = ENOMEM;
 			goto fail;
@@ -619,6 +620,7 @@ ipw_dma_alloc(struct ipw_softc *sc)
 		if (error != 0) {
 			aprint_error_dev(sc->sc_dev, "could not create rxbuf dma map\n");
 			m_freem(sbuf->m);
+			sbuf->m = NULL;
 			goto fail;
 		}
 
@@ -626,7 +628,9 @@ ipw_dma_alloc(struct ipw_softc *sc)
 		sbuf->m, BUS_DMA_READ | BUS_DMA_NOWAIT);
 		if (error != 0) {
 			bus_dmamap_destroy(sc->sc_dmat, sbuf->map);
+			sbuf->map = NULL;
 			m_freem(sbuf->m);
+			sbuf->m = NULL;
 			aprint_error_dev(sc->sc_dev, "could not map rxbuf dma memory\n");
 			goto fail;
 		}

CVS commit: src/sys/dev/pci

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Sat Jul 29 01:47:48 UTC 2017

Modified Files:
src/sys/dev/pci: if_et.c

Log Message:
Check for MCLGET failure in et_newbuf.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 src/sys/dev/pci/if_et.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/pci/if_et.c
diff -u src/sys/dev/pci/if_et.c:1.14 src/sys/dev/pci/if_et.c:1.15
--- src/sys/dev/pci/if_et.c:1.14	Thu Dec 15 09:28:05 2016
+++ src/sys/dev/pci/if_et.c	Sat Jul 29 01:47:48 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_et.c,v 1.14 2016/12/15 09:28:05 ozaki-r Exp $	*/
+/*	$NetBSD: if_et.c,v 1.15 2017/07/29 01:47:48 riastradh Exp $	*/
 /*	$OpenBSD: if_et.c,v 1.11 2008/06/08 06:18:07 jsg Exp $	*/
 /*
  * Copyright (c) 2007 The DragonFly Project.  All rights reserved.
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_et.c,v 1.14 2016/12/15 09:28:05 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_et.c,v 1.15 2017/07/29 01:47:48 riastradh Exp $");
 
 #include "opt_inet.h"
 #include "vlan.h"
@@ -2026,6 +2026,10 @@ et_newbuf(struct et_rxbuf_data *rbd, int
 		if (m == NULL)
 			return (ENOBUFS);
 		MCLGET(m, init ? M_WAITOK : M_DONTWAIT);
+		if ((m->m_flags & M_EXT) == 0) {
+			m_freem(m);
+			return (ENOBUFS);
+		}
 		len = MCLBYTES;
 	} else {
 		MGETHDR(m, init ? M_WAITOK : M_DONTWAIT, MT_DATA);

CVS commit: src/sys/dev/ic

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Sat Jul 29 01:45:22 UTC 2017

Modified Files:
src/sys/dev/ic: i82596.c

Log Message:
Null out sc_rx_mbuf[i] after m_freem to avoid double-free later.

>From Ilja Van Sprundel.

Also null out sc_tx_mbuf[i] after m_freem, out of paranoia.

XXX Not entirely clear to how tx mbufs are freed, but no way to test
this since it's ews4800mips- and hp700-only, so not keen to make any
more elaborate changes...


To generate a diff of this commit:
cvs rdiff -u -r1.36 -r1.37 src/sys/dev/ic/i82596.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/i82596.c
diff -u src/sys/dev/ic/i82596.c:1.36 src/sys/dev/ic/i82596.c:1.37
--- src/sys/dev/ic/i82596.c:1.36	Mon Feb 20 07:43:29 2017
+++ src/sys/dev/ic/i82596.c	Sat Jul 29 01:45:22 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: i82596.c,v 1.36 2017/02/20 07:43:29 ozaki-r Exp $ */
+/* $NetBSD: i82596.c,v 1.37 2017/07/29 01:45:22 riastradh Exp $ */
 
 /*
  * Copyright (c) 2003 Jochen Kunz.
@@ -43,7 +43,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: i82596.c,v 1.36 2017/02/20 07:43:29 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: i82596.c,v 1.37 2017/07/29 01:45:22 riastradh Exp $");
 
 /* autoconfig and device stuff */
 #include 
@@ -753,6 +753,7 @@ iee_start(struct ifnet *ifp)
 printf("%s: iee_start: can't allocate mbuf\n",
 device_xname(sc->sc_dev));
 m_freem(sc->sc_tx_mbuf[t]);
+sc->sc_tx_mbuf[t] = NULL;
 t--;
 continue;
 			}
@@ -762,6 +763,7 @@ iee_start(struct ifnet *ifp)
 printf("%s: iee_start: can't allocate mbuf "
 "cluster\n", device_xname(sc->sc_dev));
 m_freem(sc->sc_tx_mbuf[t]);
+sc->sc_tx_mbuf[t] = NULL;
 m_freem(m);
 t--;
 continue;
@@ -777,6 +779,7 @@ iee_start(struct ifnet *ifp)
 printf("%s: iee_start: can't load TX DMA map\n",
 device_xname(sc->sc_dev));
 m_freem(sc->sc_tx_mbuf[t]);
+sc->sc_tx_mbuf[t] = NULL;
 t--;
 continue;
 			}
@@ -926,6 +929,7 @@ iee_init(struct ifnet *ifp)
 printf("%s: iee_init: can't allocate mbuf"
 " cluster\n", device_xname(sc->sc_dev));
 m_freem(sc->sc_rx_mbuf[r]);
+sc->sc_rx_mbuf[r] = NULL;
 err = 1;
 break;
 			}
@@ -939,6 +943,7 @@ iee_init(struct ifnet *ifp)
 printf("%s: iee_init: can't create RX "
 "DMA map\n", device_xname(sc->sc_dev));
 m_freem(sc->sc_rx_mbuf[r]);
+sc->sc_rx_mbuf[r] = NULL;
 err = 1;
 break;
 			}
@@ -948,6 +953,7 @@ iee_init(struct ifnet *ifp)
 			device_xname(sc->sc_dev));
 			bus_dmamap_destroy(sc->sc_dmat, sc->sc_rx_map[r]);
 			m_freem(sc->sc_rx_mbuf[r]);
+			sc->sc_rx_mbuf[r] = NULL;
 			err = 1;
 			break;
 		}

CVS commit: src/sys/dev/ic

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Sat Jul 29 01:34:49 UTC 2017

Modified Files:
src/sys/dev/ic: dp83932.c

Log Message:
Plug mbuf leak on MCLGET failure in sonic_rxintr.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/sys/dev/ic/dp83932.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/dp83932.c
diff -u src/sys/dev/ic/dp83932.c:1.40 src/sys/dev/ic/dp83932.c:1.41
--- src/sys/dev/ic/dp83932.c:1.40	Tue May 23 02:19:14 2017
+++ src/sys/dev/ic/dp83932.c	Sat Jul 29 01:34:49 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: dp83932.c,v 1.40 2017/05/23 02:19:14 ozaki-r Exp $	*/
+/*	$NetBSD: dp83932.c,v 1.41 2017/07/29 01:34:49 riastradh Exp $	*/
 
 /*-
  * Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: dp83932.c,v 1.40 2017/05/23 02:19:14 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: dp83932.c,v 1.41 2017/07/29 01:34:49 riastradh Exp $");
 
 
 #include 
@@ -786,8 +786,10 @@ sonic_rxintr(struct sonic_softc *sc)
 goto dropit;
 			if (len > (MHLEN - 2)) {
 MCLGET(m, M_DONTWAIT);
-if ((m->m_flags & M_EXT) == 0)
+if ((m->m_flags & M_EXT) == 0) {
+	m_freem(m);
 	goto dropit;
+}
 			}
 			m->m_data += 2;
 			/*

CVS commit: src/sys/dev/ic

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Sat Jul 29 01:31:20 UTC 2017

Modified Files:
src/sys/dev/ic: dm9000.c

Log Message:
Check for MCLGET failure in dme_alloc_receive_buffer.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 src/sys/dev/ic/dm9000.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/dm9000.c
diff -u src/sys/dev/ic/dm9000.c:1.11 src/sys/dev/ic/dm9000.c:1.12
--- src/sys/dev/ic/dm9000.c:1.11	Thu Dec 15 09:28:05 2016
+++ src/sys/dev/ic/dm9000.c	Sat Jul 29 01:31:20 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: dm9000.c,v 1.11 2016/12/15 09:28:05 ozaki-r Exp $	*/
+/*	$NetBSD: dm9000.c,v 1.12 2017/07/29 01:31:20 riastradh Exp $	*/
 
 /*
  * Copyright (c) 2009 Paul Fleischer
@@ -1226,8 +1226,13 @@ dme_alloc_receive_buffer(struct ifnet *i
 		sizeof(struct ether_header);
 	/* All our frames have the CRC attached */
 	m->m_flags |= M_HASFCS;
-	if (m->m_pkthdr.len + pad > MHLEN )
+	if (m->m_pkthdr.len + pad > MHLEN) {
 		MCLGET(m, M_DONTWAIT);
+		if ((m->m_flags & M_EXT) == 0) {
+			m_freem(m);
+			return NULL;
+		}
+	}
 
 	m->m_data += pad;
 	m->m_len = frame_length + (frame_length % sc->sc_data_width);

CVS commit: src/sys/dev/ic

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Sat Jul 29 01:19:29 UTC 2017

Modified Files:
src/sys/dev/ic: bwi.c

Log Message:
Check for M_EXT in m->m_flags, whether m is NULL, after MCLGET.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 src/sys/dev/ic/bwi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/bwi.c
diff -u src/sys/dev/ic/bwi.c:1.31 src/sys/dev/ic/bwi.c:1.32
--- src/sys/dev/ic/bwi.c:1.31	Thu Feb  2 10:05:35 2017
+++ src/sys/dev/ic/bwi.c	Sat Jul 29 01:19:29 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: bwi.c,v 1.31 2017/02/02 10:05:35 nonaka Exp $	*/
+/*	$NetBSD: bwi.c,v 1.32 2017/07/29 01:19:29 riastradh Exp $	*/
 /*	$OpenBSD: bwi.c,v 1.74 2008/02/25 21:13:30 mglocker Exp $	*/
 
 /*
@@ -48,7 +48,7 @@
 
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.31 2017/02/02 10:05:35 nonaka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.32 2017/07/29 01:19:29 riastradh Exp $");
 
 #include 
 #include 
@@ -8328,7 +8328,7 @@ bwi_newbuf(struct bwi_softc *sc, int buf
 	if (m == NULL)
 		return (ENOBUFS);
 	MCLGET(m, init ? M_WAITOK : M_DONTWAIT);
-	if (m == NULL) {
+	if ((m->m_flags & M_EXT) == 0) {
 		error = ENOBUFS;
 
 		/*

CVS commit: src/sys/compat/linux/common

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Sat Jul 29 01:14:59 UTC 2017

Modified Files:
src/sys/compat/linux/common: linux_time.c

Log Message:
Only let the superuser set the compat_linux timezone.

Not really keen to invent a new kauth cookie for this useless purpose.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 src/sys/compat/linux/common/linux_time.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/linux/common/linux_time.c
diff -u src/sys/compat/linux/common/linux_time.c:1.37 src/sys/compat/linux/common/linux_time.c:1.38
--- src/sys/compat/linux/common/linux_time.c:1.37	Mon Jan 13 10:33:03 2014
+++ src/sys/compat/linux/common/linux_time.c	Sat Jul 29 01:14:59 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_time.c,v 1.37 2014/01/13 10:33:03 njoly Exp $ */
+/*	$NetBSD: linux_time.c,v 1.38 2017/07/29 01:14:59 riastradh Exp $ */
 
 /*-
  * Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.37 2014/01/13 10:33:03 njoly Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.38 2017/07/29 01:14:59 riastradh Exp $");
 
 #include 
 #include 
@@ -79,6 +79,9 @@ linux_sys_gettimeofday(struct lwp *l, co
 	}
 
 	if (SCARG(uap, tzp)) {
+		if (kauth_authorize_generic(kauth_cred_get(),
+			KAUTH_GENERIC_ISSUSER, NULL) != 0)
+			return (EPERM);
 		error = copyout(_sys_tz, SCARG(uap, tzp), sizeof(linux_sys_tz));
 		if (error)
 			return (error);

CVS commit: src/sys/compat/ibcs2

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Sat Jul 29 01:14:00 UTC 2017

Modified Files:
src/sys/compat/ibcs2: ibcs2_stat.c

Log Message:
Little happy on the commit trigger.  Actually use the out label.


To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 src/sys/compat/ibcs2/ibcs2_stat.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/ibcs2/ibcs2_stat.c
diff -u src/sys/compat/ibcs2/ibcs2_stat.c:1.49 src/sys/compat/ibcs2/ibcs2_stat.c:1.50
--- src/sys/compat/ibcs2/ibcs2_stat.c:1.49	Sat Jul 29 01:05:54 2017
+++ src/sys/compat/ibcs2/ibcs2_stat.c	Sat Jul 29 01:14:00 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_stat.c,v 1.49 2017/07/29 01:05:54 riastradh Exp $	*/
+/*	$NetBSD: ibcs2_stat.c,v 1.50 2017/07/29 01:14:00 riastradh Exp $	*/
 /*
  * Copyright (c) 1995, 1998 Scott Bartram
  * All rights reserved.
@@ -27,7 +27,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.49 2017/07/29 01:05:54 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.50 2017/07/29 01:14:00 riastradh Exp $");
 
 #include 
 #include 
@@ -203,7 +203,7 @@ ibcs2_sys_statvfs(struct lwp *l, const s
 	mp = vp->v_mount;
 	sp = >mnt_stat;
 	if ((error = VFS_STATVFS(mp, sp)) != 0)
-		return (error);
+		goto out;
 	sp->f_flag = mp->mnt_flag & MNT_VISFLAGMASK;
 	error = cvt_statvfs(sp, (void *)SCARG(uap, buf),
 	sizeof(struct ibcs2_statvfs));

CVS commit: src/sys/compat/ibcs2

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Sat Jul 29 01:05:54 UTC 2017

Modified Files:
src/sys/compat/ibcs2: ibcs2_stat.c

Log Message:
Don't drop vnode ref until we're done with mount in ibcs2_stat(v)fs.

Nothing else guarantees the mount will stick around.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.48 -r1.49 src/sys/compat/ibcs2/ibcs2_stat.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/ibcs2/ibcs2_stat.c
diff -u src/sys/compat/ibcs2/ibcs2_stat.c:1.48 src/sys/compat/ibcs2/ibcs2_stat.c:1.49
--- src/sys/compat/ibcs2/ibcs2_stat.c:1.48	Fri Sep  5 09:21:54 2014
+++ src/sys/compat/ibcs2/ibcs2_stat.c	Sat Jul 29 01:05:54 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_stat.c,v 1.48 2014/09/05 09:21:54 matt Exp $	*/
+/*	$NetBSD: ibcs2_stat.c,v 1.49 2017/07/29 01:05:54 riastradh Exp $	*/
 /*
  * Copyright (c) 1995, 1998 Scott Bartram
  * All rights reserved.
@@ -27,7 +27,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.48 2014/09/05 09:21:54 matt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.49 2017/07/29 01:05:54 riastradh Exp $");
 
 #include 
 #include 
@@ -147,11 +147,13 @@ ibcs2_sys_statfs(struct lwp *l, const st
 		return (error);
 	mp = vp->v_mount;
 	sp = >mnt_stat;
-	vrele(vp);
 	if ((error = VFS_STATVFS(mp, sp)) != 0)
-		return (error);
+		goto out;
 	sp->f_flag = mp->mnt_flag & MNT_VISFLAGMASK;
-	return cvt_statfs(sp, (void *)SCARG(uap, buf), SCARG(uap, len));
+	error = cvt_statfs(sp, (void *)SCARG(uap, buf), SCARG(uap, len));
+out:
+	vrele(vp);
+	return (error);
 }
 
 int
@@ -200,12 +202,14 @@ ibcs2_sys_statvfs(struct lwp *l, const s
 		return (error);
 	mp = vp->v_mount;
 	sp = >mnt_stat;
-	vrele(vp);
 	if ((error = VFS_STATVFS(mp, sp)) != 0)
 		return (error);
 	sp->f_flag = mp->mnt_flag & MNT_VISFLAGMASK;
-	return cvt_statvfs(sp, (void *)SCARG(uap, buf),
-			   sizeof(struct ibcs2_statvfs));
+	error = cvt_statvfs(sp, (void *)SCARG(uap, buf),
+	sizeof(struct ibcs2_statvfs));
+out:
+	vrele(vp);
+	return error;
 }
 
 int

CVS commit: src/doc

2017-07-28 Thread Thomas Klausner 
Module Name:src
Committed By:   wiz
Date:   Fri Jul 28 22:53:32 UTC 2017

Modified Files:
src/doc: 3RDPARTY

Log Message:
expat-2.2.2 security fix release out.


To generate a diff of this commit:
cvs rdiff -u -r1.1459 -r1.1460 src/doc/3RDPARTY

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/3RDPARTY
diff -u src/doc/3RDPARTY:1.1459 src/doc/3RDPARTY:1.1460
--- src/doc/3RDPARTY:1.1459	Fri Jul 28 19:31:59 2017
+++ src/doc/3RDPARTY	Fri Jul 28 22:53:32 2017
@@ -1,4 +1,4 @@
-#	$NetBSD: 3RDPARTY,v 1.1459 2017/07/28 19:31:59 wiz Exp $
+#	$NetBSD: 3RDPARTY,v 1.1460 2017/07/28 22:53:32 wiz Exp $
 #
 # This file contains a list of the software that has been integrated into
 # NetBSD where we are not the primary maintainer.
@@ -413,7 +413,7 @@ Notes:
 
 Package:	expat
 Version:	2.2.1
-Current Vers:	2.2.1
+Current Vers:	2.2.2
 Maintainer:	Expat Project
 Archive Site:	http://sourceforge.net/projects/expat/files/expat/
 Home Page:	http://www.libexpat.org/

CVS commit: src/external/gpl3/gcc.old/dist/gcc/config/i386

2017-07-28 Thread Maya Rashish 
Module Name:src
Committed By:   maya
Date:   Fri Jul 28 22:24:27 UTC 2017

Modified Files:
src/external/gpl3/gcc.old/dist/gcc/config/i386: i386.c

Log Message:
Apply upstream patch:
Incorrect codegen from rdseed intrinsic use (CVE-2017-11671)

We should not expand call arguments in between flags reg setting and
flags reg using instructions, as it may expand with flags reg
clobbering insn (ADD in this case).

Attached patch moves expansion out of the link. Also, change
zero-extension to non-flags reg clobbering sequence in case we perform
zero-extension with and.

2017-03-25  Uros Bizjak


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 \
src/external/gpl3/gcc.old/dist/gcc/config/i386/i386.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/gpl3/gcc.old/dist/gcc/config/i386/i386.c
diff -u src/external/gpl3/gcc.old/dist/gcc/config/i386/i386.c:1.6 src/external/gpl3/gcc.old/dist/gcc/config/i386/i386.c:1.7
--- src/external/gpl3/gcc.old/dist/gcc/config/i386/i386.c:1.6	Sun Jul 23 01:11:06 2017
+++ src/external/gpl3/gcc.old/dist/gcc/config/i386/i386.c	Fri Jul 28 22:24:27 2017
@@ -39529,9 +39529,6 @@ ix86_expand_builtin (tree exp, rtx targe
   mode0 = DImode;
 
 rdrand_step:
-  op0 = gen_reg_rtx (mode0);
-  emit_insn (GEN_FCN (icode) (op0));
-
   arg0 = CALL_EXPR_ARG (exp, 0);
   op1 = expand_normal (arg0);
   if (!address_operand (op1, VOIDmode))
@@ -39539,6 +39536,10 @@ rdrand_step:
 	  op1 = convert_memory_address (Pmode, op1);
 	  op1 = copy_addr_to_reg (op1);
 	}
+
+  op0 = gen_reg_rtx (mode0);
+  emit_insn (GEN_FCN (icode) (op0));
+
   emit_move_insn (gen_rtx_MEM (mode0, op1), op0);
 
   op1 = gen_reg_rtx (SImode);
@@ -39547,8 +39548,20 @@ rdrand_step:
   /* Emit SImode conditional move.  */
   if (mode0 == HImode)
 	{
-	  op2 = gen_reg_rtx (SImode);
-	  emit_insn (gen_zero_extendhisi2 (op2, op0));
+	  if (TARGET_ZERO_EXTEND_WITH_AND
+	  && optimize_function_for_speed_p (cfun))
+	{
+	  op2 = force_reg (SImode, const0_rtx);
+
+	  emit_insn (gen_movstricthi
+			 (gen_lowpart (HImode, op2), op0));
+	}
+	  else
+	{
+	  op2 = gen_reg_rtx (SImode);
+
+	  emit_insn (gen_zero_extendhisi2 (op2, op0));
+	}
 	}
   else if (mode0 == SImode)
 	op2 = op0;
@@ -39580,9 +39593,6 @@ rdrand_step:
   mode0 = DImode;
 
 rdseed_step:
-  op0 = gen_reg_rtx (mode0);
-  emit_insn (GEN_FCN (icode) (op0));
-
   arg0 = CALL_EXPR_ARG (exp, 0);
   op1 = expand_normal (arg0);
   if (!address_operand (op1, VOIDmode))
@@ -39590,6 +39600,10 @@ rdseed_step:
 	  op1 = convert_memory_address (Pmode, op1);
 	  op1 = copy_addr_to_reg (op1);
 	}
+
+  op0 = gen_reg_rtx (mode0);
+  emit_insn (GEN_FCN (icode) (op0));
+
   emit_move_insn (gen_rtx_MEM (mode0, op1), op0);
 
   op2 = gen_reg_rtx (QImode);

CVS commit: src/external/gpl3/gcc/dist/gcc/config/i386

2017-07-28 Thread Maya Rashish 
Module Name:src
Committed By:   maya
Date:   Fri Jul 28 22:23:05 UTC 2017

Modified Files:
src/external/gpl3/gcc/dist/gcc/config/i386: i386.c

Log Message:
Apply upstream patch:
Incorrect codegen from rdseed intrinsic use (CVE-2017-11671)

We should not expand call arguments in between flags reg setting and
flags reg using instructions, as it may expand with flags reg
clobbering insn (ADD in this case).

Attached patch moves expansion out of the link. Also, change
zero-extension to non-flags reg clobbering sequence in case we perform
zero-extension with and.

2017-03-25  Uros Bizjak  


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/external/gpl3/gcc/dist/gcc/config/i386/i386.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/gpl3/gcc/dist/gcc/config/i386/i386.c
diff -u src/external/gpl3/gcc/dist/gcc/config/i386/i386.c:1.12 src/external/gpl3/gcc/dist/gcc/config/i386/i386.c:1.13
--- src/external/gpl3/gcc/dist/gcc/config/i386/i386.c:1.12	Tue Jun  7 06:14:17 2016
+++ src/external/gpl3/gcc/dist/gcc/config/i386/i386.c	Fri Jul 28 22:23:05 2017
@@ -39529,9 +39529,6 @@ ix86_expand_builtin (tree exp, rtx targe
   mode0 = DImode;
 
 rdrand_step:
-  op0 = gen_reg_rtx (mode0);
-  emit_insn (GEN_FCN (icode) (op0));
-
   arg0 = CALL_EXPR_ARG (exp, 0);
   op1 = expand_normal (arg0);
   if (!address_operand (op1, VOIDmode))
@@ -39539,6 +39536,10 @@ rdrand_step:
 	  op1 = convert_memory_address (Pmode, op1);
 	  op1 = copy_addr_to_reg (op1);
 	}
+
+  op0 = gen_reg_rtx (mode0);
+  emit_insn (GEN_FCN (icode) (op0));
+
   emit_move_insn (gen_rtx_MEM (mode0, op1), op0);
 
   op1 = gen_reg_rtx (SImode);
@@ -39547,8 +39548,20 @@ rdrand_step:
   /* Emit SImode conditional move.  */
   if (mode0 == HImode)
 	{
-	  op2 = gen_reg_rtx (SImode);
-	  emit_insn (gen_zero_extendhisi2 (op2, op0));
+	  if (TARGET_ZERO_EXTEND_WITH_AND
+	  && optimize_function_for_speed_p (cfun))
+	{
+	  op2 = force_reg (SImode, const0_rtx);
+
+	  emit_insn (gen_movstricthi
+			 (gen_lowpart (HImode, op2), op0));
+	}
+	  else
+	{
+	  op2 = gen_reg_rtx (SImode);
+
+	  emit_insn (gen_zero_extendhisi2 (op2, op0));
+	}
 	}
   else if (mode0 == SImode)
 	op2 = op0;
@@ -39580,9 +39593,6 @@ rdrand_step:
   mode0 = DImode;
 
 rdseed_step:
-  op0 = gen_reg_rtx (mode0);
-  emit_insn (GEN_FCN (icode) (op0));
-
   arg0 = CALL_EXPR_ARG (exp, 0);
   op1 = expand_normal (arg0);
   if (!address_operand (op1, VOIDmode))
@@ -39590,6 +39600,10 @@ rdseed_step:
 	  op1 = convert_memory_address (Pmode, op1);
 	  op1 = copy_addr_to_reg (op1);
 	}
+
+  op0 = gen_reg_rtx (mode0);
+  emit_insn (GEN_FCN (icode) (op0));
+
   emit_move_insn (gen_rtx_MEM (mode0, op1), op0);
 
   op2 = gen_reg_rtx (QImode);

CVS commit: src/doc

2017-07-28 Thread Thomas Klausner 
Module Name:src
Committed By:   wiz
Date:   Fri Jul 28 19:31:59 UTC 2017

Modified Files:
src/doc: 3RDPARTY

Log Message:
binutils-2.29 out.


To generate a diff of this commit:
cvs rdiff -u -r1.1458 -r1.1459 src/doc/3RDPARTY

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/3RDPARTY
diff -u src/doc/3RDPARTY:1.1458 src/doc/3RDPARTY:1.1459
--- src/doc/3RDPARTY:1.1458	Thu Jul 27 18:12:07 2017
+++ src/doc/3RDPARTY	Fri Jul 28 19:31:59 2017
@@ -1,4 +1,4 @@
-#	$NetBSD: 3RDPARTY,v 1.1458 2017/07/27 18:12:07 jmcneill Exp $
+#	$NetBSD: 3RDPARTY,v 1.1459 2017/07/28 19:31:59 wiz Exp $
 #
 # This file contains a list of the software that has been integrated into
 # NetBSD where we are not the primary maintainer.
@@ -186,7 +186,7 @@ Todo[5]: Reconcile the doc directory.
 
 Package:	binutils
 Version:	2.27
-Current Vers:	2.28
+Current Vers:	2.29
 Maintainer:	FSF
 Archive Site:	ftp://ftp.gnu.org/gnu/binutils/
 Home Page:	http://www.gnu.org/software/binutils/

CVS commit: src/sys/arch

2017-07-28 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Fri Jul 28 19:26:16 UTC 2017

Modified Files:
src/sys/arch/acorn32/conf: EB7500ATX GENERIC INSTALL LOWMEM_WSCONS NC
src/sys/arch/amd64/conf: ALL
src/sys/arch/amiga/conf: DRACO GENERIC GENERIC.in
src/sys/arch/epoc32/conf: GENERIC
src/sys/arch/hp300/conf: GENERIC INSTALL
src/sys/arch/mipsco/conf: GENERIC INSTALL RC3230
src/sys/arch/newsmips/conf: GENERIC
src/sys/arch/pmax/conf: GENERIC GENERIC64
src/sys/arch/prep/conf: GENERIC
src/sys/arch/sgimips/conf: GENERIC32_IP12 GENERIC32_IP2x GENERIC32_IP3x
GENERIC64_IP2x GENERIC64_IP3x
src/sys/arch/sun3/conf: DISKLESS DISKLESS3X GENERIC GENERIC3X INSTALL
INSTALL3X RAMDISK RAMDISK3X

Log Message:
Remove TCP_COMPAT_42 from the config files. Pass 1.


To generate a diff of this commit:
cvs rdiff -u -r1.61 -r1.62 src/sys/arch/acorn32/conf/EB7500ATX
cvs rdiff -u -r1.120 -r1.121 src/sys/arch/acorn32/conf/GENERIC
cvs rdiff -u -r1.76 -r1.77 src/sys/arch/acorn32/conf/INSTALL
cvs rdiff -u -r1.70 -r1.71 src/sys/arch/acorn32/conf/LOWMEM_WSCONS
cvs rdiff -u -r1.69 -r1.70 src/sys/arch/acorn32/conf/NC
cvs rdiff -u -r1.61 -r1.62 src/sys/arch/amd64/conf/ALL
cvs rdiff -u -r1.180 -r1.181 src/sys/arch/amiga/conf/DRACO
cvs rdiff -u -r1.314 -r1.315 src/sys/arch/amiga/conf/GENERIC
cvs rdiff -u -r1.132 -r1.133 src/sys/arch/amiga/conf/GENERIC.in
cvs rdiff -u -r1.13 -r1.14 src/sys/arch/epoc32/conf/GENERIC
cvs rdiff -u -r1.194 -r1.195 src/sys/arch/hp300/conf/GENERIC
cvs rdiff -u -r1.60 -r1.61 src/sys/arch/hp300/conf/INSTALL
cvs rdiff -u -r1.88 -r1.89 src/sys/arch/mipsco/conf/GENERIC
cvs rdiff -u -r1.30 -r1.31 src/sys/arch/mipsco/conf/INSTALL
cvs rdiff -u -r1.47 -r1.48 src/sys/arch/mipsco/conf/RC3230
cvs rdiff -u -r1.129 -r1.130 src/sys/arch/newsmips/conf/GENERIC
cvs rdiff -u -r1.190 -r1.191 src/sys/arch/pmax/conf/GENERIC
cvs rdiff -u -r1.24 -r1.25 src/sys/arch/pmax/conf/GENERIC64
cvs rdiff -u -r1.181 -r1.182 src/sys/arch/prep/conf/GENERIC
cvs rdiff -u -r1.29 -r1.30 src/sys/arch/sgimips/conf/GENERIC32_IP12
cvs rdiff -u -r1.108 -r1.109 src/sys/arch/sgimips/conf/GENERIC32_IP2x
cvs rdiff -u -r1.111 -r1.112 src/sys/arch/sgimips/conf/GENERIC32_IP3x
cvs rdiff -u -r1.4 -r1.5 src/sys/arch/sgimips/conf/GENERIC64_IP2x \
src/sys/arch/sgimips/conf/GENERIC64_IP3x
cvs rdiff -u -r1.72 -r1.73 src/sys/arch/sun3/conf/DISKLESS
cvs rdiff -u -r1.57 -r1.58 src/sys/arch/sun3/conf/DISKLESS3X \
src/sys/arch/sun3/conf/INSTALL3X
cvs rdiff -u -r1.172 -r1.173 src/sys/arch/sun3/conf/GENERIC
cvs rdiff -u -r1.126 -r1.127 src/sys/arch/sun3/conf/GENERIC3X
cvs rdiff -u -r1.58 -r1.59 src/sys/arch/sun3/conf/INSTALL
cvs rdiff -u -r1.53 -r1.54 src/sys/arch/sun3/conf/RAMDISK
cvs rdiff -u -r1.41 -r1.42 src/sys/arch/sun3/conf/RAMDISK3X

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/acorn32/conf/EB7500ATX
diff -u src/sys/arch/acorn32/conf/EB7500ATX:1.61 src/sys/arch/acorn32/conf/EB7500ATX:1.62
--- src/sys/arch/acorn32/conf/EB7500ATX:1.61	Tue Dec 13 20:42:15 2016
+++ src/sys/arch/acorn32/conf/EB7500ATX	Fri Jul 28 19:26:15 2017
@@ -1,4 +1,4 @@
-#	$NetBSD: EB7500ATX,v 1.61 2016/12/13 20:42:15 christos Exp $
+#	$NetBSD: EB7500ATX,v 1.62 2017/07/28 19:26:15 maxv Exp $
 #
 #	EB7500ATX --- NetBSD/acorn32 complete configuration
 #
@@ -22,7 +22,7 @@ include		"arch/acorn32/conf/std.acorn32"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident		"EB7500ATX-$Revision: 1.61 $"
+#ident		"EB7500ATX-$Revision: 1.62 $"
 
 # estimated number of users
 maxusers	32
@@ -108,7 +108,6 @@ options 	COMPAT_16	# NetBSD 1.6,
 options 	COMPAT_20	# NetBSD 2.0,
 options 	COMPAT_30	# NetBSD 3.0, and
 options 	COMPAT_40	# NetBSD 4.0 binary compatibility.
-#options 	TCP_COMPAT_42	# 4.2BSD TCP/IP bug compat. Not recommended.
 options		COMPAT_BSDPTY	# /dev/[pt]ty?? ptys.
 
 # Shared memory options

Index: src/sys/arch/acorn32/conf/GENERIC
diff -u src/sys/arch/acorn32/conf/GENERIC:1.120 src/sys/arch/acorn32/conf/GENERIC:1.121
--- src/sys/arch/acorn32/conf/GENERIC:1.120	Tue Dec 13 20:42:15 2016
+++ src/sys/arch/acorn32/conf/GENERIC	Fri Jul 28 19:26:15 2017
@@ -1,4 +1,4 @@
-# 	$NetBSD: GENERIC,v 1.120 2016/12/13 20:42:15 christos Exp $
+# 	$NetBSD: GENERIC,v 1.121 2017/07/28 19:26:15 maxv Exp $
 #
 #	GENERIC --- NetBSD/acorn32 complete configuration
 #
@@ -22,7 +22,7 @@ include		"arch/acorn32/conf/std.acorn32"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident		"GENERIC-$Revision: 1.120 $"
+#ident		"GENERIC-$Revision: 1.121 $"
 
 # estimated number of users
 maxusers	32
@@ -121,7 +121,6 @@ options 	COMPAT_40	# NetBSD 4.0,
 options 	COMPAT_50	# NetBSD 5.0,
 options 	COMPAT_60	# NetBSD 6.0, and
 options 	COMPAT_70	# NetBSD 7.0 binary compatibility.
-#options 	TCP_COMPAT_42	# 4.2BSD TCP/IP bug compat. Not recommended.
 options		COMPAT_BSDPTY	#

CVS commit: src/sys/netinet

2017-07-28 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Fri Jul 28 19:16:41 UTC 2017

Modified Files:
src/sys/netinet: tcp_timer.c tcp_usrreq.c tcp_var.h

Log Message:
Remove TCP_COMPAT_42. This feature is a workaround for a bug in the TCP
stack of BSD4.2. Having such features just does not make any sense, and
looking at the code, I'm not sure it actually works.


To generate a diff of this commit:
cvs rdiff -u -r1.91 -r1.92 src/sys/netinet/tcp_timer.c
cvs rdiff -u -r1.214 -r1.215 src/sys/netinet/tcp_usrreq.c
cvs rdiff -u -r1.178 -r1.179 src/sys/netinet/tcp_var.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet/tcp_timer.c
diff -u src/sys/netinet/tcp_timer.c:1.91 src/sys/netinet/tcp_timer.c:1.92
--- src/sys/netinet/tcp_timer.c:1.91	Mon Jul 25 00:10:38 2016
+++ src/sys/netinet/tcp_timer.c	Fri Jul 28 19:16:41 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_timer.c,v 1.91 2016/07/25 00:10:38 knakahara Exp $	*/
+/*	$NetBSD: tcp_timer.c,v 1.92 2017/07/28 19:16:41 maxv Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -93,7 +93,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: tcp_timer.c,v 1.91 2016/07/25 00:10:38 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_timer.c,v 1.92 2017/07/28 19:16:41 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -564,19 +564,11 @@ tcp_timer_keep(void *arg)
 		 * correspondent TCP to respond.
 		 */
 		TCP_STATINC(TCP_STAT_KEEPPROBE);
-		if (tcp_compat_42) {
-			/*
-			 * The keepalive packet must have nonzero
-			 * length to get a 4.2 host to respond.
-			 */
-			(void)tcp_respond(tp, tp->t_template,
-			NULL, NULL, tp->rcv_nxt - 1,
-			tp->snd_una - 1, 0);
-		} else {
-			(void)tcp_respond(tp, tp->t_template,
-			NULL, NULL, tp->rcv_nxt,
-			tp->snd_una - 1, 0);
-		}
+
+		(void)tcp_respond(tp, tp->t_template,
+		NULL, NULL, tp->rcv_nxt,
+		tp->snd_una - 1, 0);
+
 		TCP_TIMER_ARM(tp, TCPT_KEEP, tp->t_keepintvl);
 	} else
 		TCP_TIMER_ARM(tp, TCPT_KEEP, tp->t_keepidle);

Index: src/sys/netinet/tcp_usrreq.c
diff -u src/sys/netinet/tcp_usrreq.c:1.214 src/sys/netinet/tcp_usrreq.c:1.215
--- src/sys/netinet/tcp_usrreq.c:1.214	Tue Jan 24 07:09:24 2017
+++ src/sys/netinet/tcp_usrreq.c	Fri Jul 28 19:16:41 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_usrreq.c,v 1.214 2017/01/24 07:09:24 ozaki-r Exp $	*/
+/*	$NetBSD: tcp_usrreq.c,v 1.215 2017/07/28 19:16:41 maxv Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -99,7 +99,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: tcp_usrreq.c,v 1.214 2017/01/24 07:09:24 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_usrreq.c,v 1.215 2017/07/28 19:16:41 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -2152,12 +2152,6 @@ sysctl_net_inet_tcp_setup2(struct sysctl
 		   CTL_NET, pf, IPPROTO_TCP, TCPCTL_TSTAMP, CTL_EOL);
 	sysctl_createv(clog, 0, NULL, NULL,
 		   CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
-		   CTLTYPE_INT, "compat_42",
-		   SYSCTL_DESCR("Enable workarounds for 4.2BSD TCP bugs"),
-		   NULL, 0, _compat_42, 0,
-		   CTL_NET, pf, IPPROTO_TCP, TCPCTL_COMPAT_42, CTL_EOL);
-	sysctl_createv(clog, 0, NULL, NULL,
-		   CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 		   CTLTYPE_INT, "cwm",
 		   SYSCTL_DESCR("Hughes/Touch/Heidemann Congestion Window "
 "Monitoring"),

Index: src/sys/netinet/tcp_var.h
diff -u src/sys/netinet/tcp_var.h:1.178 src/sys/netinet/tcp_var.h:1.179
--- src/sys/netinet/tcp_var.h:1.178	Fri Jul  7 01:37:34 2017
+++ src/sys/netinet/tcp_var.h	Fri Jul 28 19:16:41 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_var.h,v 1.178 2017/07/07 01:37:34 ozaki-r Exp $	*/
+/*	$NetBSD: tcp_var.h,v 1.179 2017/07/28 19:16:41 maxv Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -811,7 +811,6 @@ extern	int tcp_init_win;	/* initial wind
 extern	int tcp_init_win_local;	/* initial window for local nets */
 extern	int tcp_init_win_max[11];/* max sizes for values of tcp_init_win_* */
 extern	int tcp_mss_ifmtu;	/* take MSS from interface, not in_maxmtu */
-extern	int tcp_compat_42;	/* work around ancient broken TCP peers */
 extern	int tcp_cwm;		/* enable Congestion Window Monitoring */
 extern	int tcp_cwm_burstsize;	/* burst size allowed by CWM */
 extern	int tcp_ack_on_push;	/* ACK immediately on PUSH */
@@ -877,7 +876,6 @@ extern int tcp_autosndbuf_max;
 	{ 1, 0, _do_sack },			\
 	{ 1, 0, _do_win_scale },		\
 	{ 1, 0, _do_timestamps },		\
-	{ 1, 0, _compat_42 },		\
 	{ 1, 0, _cwm },			\
 	{ 1, 0, _cwm_burstsize },		\
 	{ 1, 0, _ack_on_push },		\

CVS commit: src/sys/compat/ibcs2

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 17:57:48 UTC 2017

Modified Files:
src/sys/compat/ibcs2: ibcs2_ioctl.c

Log Message:
Zero buffers in ibcs2 ioctl to avoid disclosing stack to userland.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.45 -r1.46 src/sys/compat/ibcs2/ibcs2_ioctl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/ibcs2/ibcs2_ioctl.c
diff -u src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45 src/sys/compat/ibcs2/ibcs2_ioctl.c:1.46
--- src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45	Tue Jun 24 10:03:17 2008
+++ src/sys/compat/ibcs2/ibcs2_ioctl.c	Fri Jul 28 17:57:48 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $	*/
+/*	$NetBSD: ibcs2_ioctl.c,v 1.46 2017/07/28 17:57:48 riastradh Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995 Scott Bartram
@@ -27,7 +27,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.46 2017/07/28 17:57:48 riastradh Exp $");
 
 #include 
 #include 
@@ -402,8 +402,10 @@ ibcs2_sys_ioctl(struct lwp *l, const str
 		if ((error = (*ctl)(fp, TIOCGETA, )) != 0)
 			goto out;
 
+		memset(, 0, sizeof(sts));
 		btios2stios(, );
 		if (SCARG(uap, cmd) == IBCS2_TCGETA) {
+			memset(, 0, sizeof(st));
 			stios2stio(, );
 			error = copyout(, SCARG(uap, data), sizeof(st));
 			if (error)
@@ -559,6 +561,7 @@ ibcs2_sys_gtty(struct lwp *l, const stru
 
 	fd_putfile(SCARG(uap, fd));
 
+	memset(, 0, sizeof(itb));
 	itb.sg_ispeed = tb.sg_ispeed;
 	itb.sg_ospeed = tb.sg_ospeed;
 	itb.sg_erase = tb.sg_erase;

CVS commit: src/sys/compat/svr4

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 17:52:47 UTC 2017

Modified Files:
src/sys/compat/svr4: svr4_stream.c

Log Message:
Check bounds in svr4_sys_putmsg.  Check more svr4_strmcmd bounds.

svr4 streams code is still a disaster.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.90 -r1.91 src/sys/compat/svr4/svr4_stream.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/svr4/svr4_stream.c
diff -u src/sys/compat/svr4/svr4_stream.c:1.90 src/sys/compat/svr4/svr4_stream.c:1.91
--- src/sys/compat/svr4/svr4_stream.c:1.90	Fri Jul 28 17:43:46 2017
+++ src/sys/compat/svr4/svr4_stream.c	Fri Jul 28 17:52:47 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_stream.c,v 1.90 2017/07/28 17:43:46 riastradh Exp $	 */
+/*	$NetBSD: svr4_stream.c,v 1.91 2017/07/28 17:52:47 riastradh Exp $	 */
 
 /*-
  * Copyright (c) 1994, 2008 The NetBSD Foundation, Inc.
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: svr4_stream.c,v 1.90 2017/07/28 17:43:46 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_stream.c,v 1.91 2017/07/28 17:52:47 riastradh Exp $");
 
 #include 
 #include 
@@ -533,6 +533,11 @@ si_listen(file_t *fp, int fd, struct svr
 
 	if ((error = copyin(NETBSD32PTR(ioc->buf), , ioc->len)) != 0)
 		return error;
+	if (lst.offs < 0 ||
+	lst.len < 0 ||
+	lst.len > ioc->len ||
+	ioc->len - lst.len < lst.offs)
+		return EINVAL;
 
 	if (lst.cmd != SVR4_TI_OLD_BIND_REQUEST) {
 		DPRINTF(("si_listen: bad request %ld\n", lst.cmd));
@@ -777,7 +782,10 @@ ti_bind(file_t *fp, int fd, struct svr4_
 		DPRINTF(("ti_bind: bad request %ld\n", bnd.cmd));
 		return EINVAL;
 	}
-	if (bnd.offs < 0)
+	if (bnd.offs < 0 ||
+	bnd.len < 0 ||
+	bnd.len > ioc->len ||
+	ioc->len - bnd.len < bnd.offs)
 		return EINVAL;
 
 	switch (st->s_family) {
@@ -1434,7 +1442,10 @@ svr4_sys_putmsg(struct lwp *l, const str
 
 	if ((error = copyin(NETBSD32PTR(ctl.buf), , ctl.len)) != 0)
 		goto out;
-	if (sc.offs < 0) {
+	if (sc.offs < 0 ||
+	sc.len < 0 ||
+	sc.len > ctl.len ||
+	sc.offs > ctl.len - sc.len) {
 		error = EINVAL;
 		goto out;
 	}
@@ -1481,8 +1492,11 @@ svr4_sys_putmsg(struct lwp *l, const str
 			*retval = 0;
 			error = 0;
 			goto out;
-		}
-		else {
+		} else if (sc.len < sizeof(dev_t[2])) {
+			*retval = 0;
+			error = EINVAL;
+			goto out;
+		} else {
 			/* Maybe we've been given a device/inode pair */
 			dev_t *dev = SVR4_ADDROF();
 			svr4_ino_t *ino = (svr4_ino_t *) [1];

CVS commit: src/sys/compat/svr4

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 17:43:46 UTC 2017

Modified Files:
src/sys/compat/svr4: svr4_stream.c

Log Message:
Feebly attempt to get this reference counting less bad.

This svr4 streams code is bad and it should feel bad.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.89 -r1.90 src/sys/compat/svr4/svr4_stream.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/svr4/svr4_stream.c
diff -u src/sys/compat/svr4/svr4_stream.c:1.89 src/sys/compat/svr4/svr4_stream.c:1.90
--- src/sys/compat/svr4/svr4_stream.c:1.89	Fri Jul 28 16:55:48 2017
+++ src/sys/compat/svr4/svr4_stream.c	Fri Jul 28 17:43:46 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_stream.c,v 1.89 2017/07/28 16:55:48 riastradh Exp $	 */
+/*	$NetBSD: svr4_stream.c,v 1.90 2017/07/28 17:43:46 riastradh Exp $	 */
 
 /*-
  * Copyright (c) 1994, 2008 The NetBSD Foundation, Inc.
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: svr4_stream.c,v 1.89 2017/07/28 16:55:48 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_stream.c,v 1.90 2017/07/28 17:43:46 riastradh Exp $");
 
 #include 
 #include 
@@ -1507,10 +1507,12 @@ svr4_sys_putmsg(struct lwp *l, const str
  	switch (st->s_cmd = sc.cmd) {
 	case SVR4_TI_CONNECT_REQUEST:	/* connect 	*/
 	 	KERNEL_UNLOCK_ONE(NULL);
+		fd_putfile(SCARG(uap, fd));
 		return do_sys_connect(l, SCARG(uap, fd), skp);
 
 	case SVR4_TI_SENDTO_REQUEST:	/* sendto 	*/
 	 	KERNEL_UNLOCK_ONE(NULL);
+		fd_putfile(SCARG(uap, fd));
 		msg.msg_name = skp;
 		msg.msg_namelen = skp->sa_len;
 		msg.msg_iov =

CVS commit: src/sys/compat

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 17:38:36 UTC 2017

Modified Files:
src/sys/compat/svr4: svr4_signal.c
src/sys/compat/svr4_32: svr4_32_signal.c

Log Message:
Fix indexing of svr4 signals.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.66 -r1.67 src/sys/compat/svr4/svr4_signal.c
cvs rdiff -u -r1.28 -r1.29 src/sys/compat/svr4_32/svr4_32_signal.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/svr4/svr4_signal.c
diff -u src/sys/compat/svr4/svr4_signal.c:1.66 src/sys/compat/svr4/svr4_signal.c:1.67
--- src/sys/compat/svr4/svr4_signal.c:1.66	Sun Nov  9 18:16:55 2014
+++ src/sys/compat/svr4/svr4_signal.c	Fri Jul 28 17:38:35 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_signal.c,v 1.66 2014/11/09 18:16:55 maxv Exp $	 */
+/*	$NetBSD: svr4_signal.c,v 1.67 2017/07/28 17:38:35 riastradh Exp $	 */
 
 /*-
  * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.66 2014/11/09 18:16:55 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.67 2017/07/28 17:38:35 riastradh Exp $");
 
 #include 
 #include 
@@ -72,6 +72,21 @@ void native_to_svr4_sigaction(const stru
 extern const int native_to_svr4_signo[];
 extern const int svr4_to_native_signo[];
 
+static int
+svr4_decode_signum(int signum, int *native_signo, int *sigcall)
+{
+
+	if (SVR4_SIGNO(signum) >= SVR4_NSIG)
+		return EINVAL;
+
+	if (native_signo)
+		*native_signo = svr4_to_native_signo[SVR4_SIGNO(signum)];
+	if (sigcall)
+		*sigcall = SVR4_SIGCALL(signum);
+
+	return 0;
+}
+
 static inline void
 svr4_sigfillset(svr4_sigset_t *s)
 {
@@ -173,6 +188,7 @@ svr4_sys_sigaction(struct lwp *l, const 
 	} */
 	struct svr4_sigaction nssa, ossa;
 	struct sigaction nbsa, obsa;
+	int native_signo;
 	int error;
 
 	if (SCARG(uap, nsa)) {
@@ -181,7 +197,12 @@ svr4_sys_sigaction(struct lwp *l, const 
 			return (error);
 		svr4_to_native_sigaction(, );
 	}
-	error = sigaction1(l, svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))],
+
+	error = svr4_decode_signum(SCARG(uap, signum), _signo, NULL);
+	if (error)
+		return error;
+
+	error = sigaction1(l, native_signo,
 	SCARG(uap, nsa) ?  : 0, SCARG(uap, osa) ?  : 0,
 	NULL, 0);
 	if (error)
@@ -216,16 +237,18 @@ svr4_sys_signal(struct lwp *l, const str
 		syscallarg(int) signum;
 		syscallarg(svr4_sig_t) handler;
 	} */
-	int signum = svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))];
+	int native_signo, sigcall;
 	struct proc *p = l->l_proc;
 	struct sigaction nbsa, obsa;
 	sigset_t ss;
 	int error;
 
-	if (signum <= 0 || signum >= SVR4_NSIG)
-		return (EINVAL);
+	error = svr4_decode_signum(SCARG(uap, signum), _signo,
+	);
+	if (error)
+		return error;
 
-	switch (SVR4_SIGCALL(SCARG(uap, signum))) {
+	switch (sigcall) {
 	case SVR4_SIGDEFER_MASK:
 		if (SCARG(uap, handler) == SVR4_SIG_HOLD)
 			goto sighold;
@@ -235,7 +258,7 @@ svr4_sys_signal(struct lwp *l, const str
 		nbsa.sa_handler = (sig_t)SCARG(uap, handler);
 		sigemptyset(_mask);
 		nbsa.sa_flags = 0;
-		error = sigaction1(l, signum, , , NULL, 0);
+		error = sigaction1(l, native_signo, , , NULL, 0);
 		if (error)
 			return (error);
 		*retval = (u_int)(u_long)obsa.sa_handler;
@@ -244,7 +267,7 @@ svr4_sys_signal(struct lwp *l, const str
 	case SVR4_SIGHOLD_MASK:
 	sighold:
 		sigemptyset();
-		sigaddset(, signum);
+		sigaddset(, native_signo);
 		mutex_enter(p->p_lock);
 		error = sigprocmask1(l, SIG_BLOCK, , 0);
 		mutex_exit(p->p_lock);
@@ -252,7 +275,7 @@ svr4_sys_signal(struct lwp *l, const str
 
 	case SVR4_SIGRELSE_MASK:
 		sigemptyset();
-		sigaddset(, signum);
+		sigaddset(, native_signo);
 		mutex_enter(p->p_lock);
 		error = sigprocmask1(l, SIG_UNBLOCK, , 0);
 		mutex_exit(p->p_lock);
@@ -262,11 +285,11 @@ svr4_sys_signal(struct lwp *l, const str
 		nbsa.sa_handler = SIG_IGN;
 		sigemptyset(_mask);
 		nbsa.sa_flags = 0;
-		return (sigaction1(l, signum, , 0, NULL, 0));
+		return (sigaction1(l, native_signo, , 0, NULL, 0));
 
 	case SVR4_SIGPAUSE_MASK:
 		ss = l->l_sigmask;	/* XXXAD locking */
-		sigdelset(, signum);
+		sigdelset(, native_signo);
 		return (sigsuspend1(l, ));
 
 	default:
@@ -392,9 +415,15 @@ svr4_sys_kill(struct lwp *l, const struc
 		syscallarg(int) signum;
 	} */
 	struct sys_kill_args ka;
+	int native_signo;
+	int error;
+
+	error = svr4_decode_signum(SCARG(uap, signum), _signo, NULL);
+	if (error)
+		return error;
 
 	SCARG(, pid) = SCARG(uap, pid);
-	SCARG(, signum) = svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))];
+	SCARG(, signum) = native_signo;
 	return sys_kill(l, , retval);
 }
 

Index: src/sys/compat/svr4_32/svr4_32_signal.c
diff -u src/sys/compat/svr4_32/svr4_32_signal.c:1.28 src/sys/compat/svr4_32/svr4_32_signal.c:1.29
--- src/sys/compat/svr4_32/svr4_32_signal.c:1.28	Mon Apr  4 23:07:06 2016
+++ src/sys/compat/svr4_32/svr4_32_signal.c	Fri

CVS commit: src/sys/opencrypto

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 17:14:04 UTC 2017

Modified Files:
src/sys/opencrypto: ocryptodev.c

Log Message:
Avoid another userland-controlled integer overflow.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/sys/opencrypto/ocryptodev.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/opencrypto/ocryptodev.c
diff -u src/sys/opencrypto/ocryptodev.c:1.10 src/sys/opencrypto/ocryptodev.c:1.11
--- src/sys/opencrypto/ocryptodev.c:1.10	Fri Jul 28 14:16:29 2017
+++ src/sys/opencrypto/ocryptodev.c	Fri Jul 28 17:14:04 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ocryptodev.c,v 1.10 2017/07/28 14:16:29 riastradh Exp $ */
+/*	$NetBSD: ocryptodev.c,v 1.11 2017/07/28 17:14:04 riastradh Exp $ */
 /*	$FreeBSD: src/sys/opencrypto/cryptodev.c,v 1.4.2.4 2003/06/03 00:09:02 sam Exp $	*/
 /*	$OpenBSD: cryptodev.c,v 1.53 2002/07/10 22:21:30 mickey Exp $	*/
 
@@ -69,7 +69,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ocryptodev.c,v 1.10 2017/07/28 14:16:29 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ocryptodev.c,v 1.11 2017/07/28 17:14:04 riastradh Exp $");
 
 #include 
 #include 
@@ -127,6 +127,11 @@ ocryptof_ioctl(struct file *fp, u_long c
 		break;
 	case CIOCNGSESSION:
 		osgop = (struct ocrypt_sgop *)data;
+		if ((osgop->count <= 0) ||
+		(SIZE_MAX/sizeof(struct osession_n_op) < osgop->count)) {
+			error = EINVAL;
+			break;
+		}
 		osnop = kmem_alloc((osgop->count *
   sizeof(struct osession_n_op)), KM_SLEEP);
 		error = copyin(osgop->sessions, osnop, osgop->count *

CVS commit: src/sys/compat/svr4

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 16:57:12 UTC 2017

Modified Files:
src/sys/compat/svr4: svr4_lwp.c

Log Message:
Zero stack data before copyout.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 src/sys/compat/svr4/svr4_lwp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/svr4/svr4_lwp.c
diff -u src/sys/compat/svr4/svr4_lwp.c:1.19 src/sys/compat/svr4/svr4_lwp.c:1.20
--- src/sys/compat/svr4/svr4_lwp.c:1.19	Mon Nov 23 00:46:07 2009
+++ src/sys/compat/svr4/svr4_lwp.c	Fri Jul 28 16:57:12 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $	*/
+/*	$NetBSD: svr4_lwp.c,v 1.20 2017/07/28 16:57:12 riastradh Exp $	*/
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.20 2017/07/28 16:57:12 riastradh Exp $");
 
 #include 
 #include 
@@ -108,6 +108,8 @@ svr4_sys__lwp_info(struct lwp *l, const 
 	struct svr4_lwpinfo lwpinfo;
 	int error;
 
+	memset(, 0, sizeof(lwpinfo));
+
 	/* XXX NJWLWP */
 	TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_stime, _stime);
 	TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_utime, _utime);

CVS commit: src/sys/compat/svr4

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 16:55:48 UTC 2017

Modified Files:
src/sys/compat/svr4: svr4_stream.c

Log Message:
Fix some of the multitudinous holes in svr4 streams.

We should never have enabled this by default; it is a minefield.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.88 -r1.89 src/sys/compat/svr4/svr4_stream.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/svr4/svr4_stream.c
diff -u src/sys/compat/svr4/svr4_stream.c:1.88 src/sys/compat/svr4/svr4_stream.c:1.89
--- src/sys/compat/svr4/svr4_stream.c:1.88	Wed Apr 26 03:02:48 2017
+++ src/sys/compat/svr4/svr4_stream.c	Fri Jul 28 16:55:48 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_stream.c,v 1.88 2017/04/26 03:02:48 riastradh Exp $	 */
+/*	$NetBSD: svr4_stream.c,v 1.89 2017/07/28 16:55:48 riastradh Exp $	 */
 
 /*-
  * Copyright (c) 1994, 2008 The NetBSD Foundation, Inc.
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: svr4_stream.c,v 1.88 2017/04/26 03:02:48 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_stream.c,v 1.89 2017/07/28 16:55:48 riastradh Exp $");
 
 #include 
 #include 
@@ -527,7 +527,8 @@ si_listen(file_t *fp, int fd, struct svr
 	if (st == NULL)
 		return EINVAL;
 
-	if (ioc->len > sizeof(lst))
+	if (ioc->len < offsetof(struct svr4_strmcmd, pad) ||
+	ioc->len > sizeof(lst))
 		return EINVAL;
 
 	if ((error = copyin(NETBSD32PTR(ioc->buf), , ioc->len)) != 0)
@@ -717,7 +718,9 @@ ti_getinfo(file_t *fp, int fd, struct sv
 
 	memset(, 0, sizeof(info));
 
-	if (ioc->len > sizeof(info))
+	/* tsdu is next after cmd, the only field we read */
+	if (ioc->len < offsetof(struct svr4_infocmd, tsdu) ||
+	ioc->len > sizeof(info))
 		return EINVAL;
 
 	if ((error = copyin(NETBSD32PTR(ioc->buf), , ioc->len)) != 0)
@@ -763,7 +766,8 @@ ti_bind(file_t *fp, int fd, struct svr4_
 		return EINVAL;
 	}
 
-	if (ioc->len > sizeof(bnd))
+	if (ioc->len < offsetof(struct svr4_strmcmd, pad) ||
+	ioc->len > sizeof(bnd))
 		return EINVAL;
 
 	if ((error = copyin(NETBSD32PTR(ioc->buf), , ioc->len)) != 0)
@@ -773,6 +777,8 @@ ti_bind(file_t *fp, int fd, struct svr4_
 		DPRINTF(("ti_bind: bad request %ld\n", bnd.cmd));
 		return EINVAL;
 	}
+	if (bnd.offs < 0)
+		return EINVAL;
 
 	switch (st->s_family) {
 	case AF_INET:
@@ -782,6 +788,9 @@ ti_bind(file_t *fp, int fd, struct svr4_
 		if (bnd.offs == 0)
 			goto reply;
 
+		if (ioc->len < sizeof(struct svr4_netaddr_in) ||
+		bnd.offs > ioc->len - sizeof(struct svr4_netaddr_in))
+			return EINVAL;
 		netaddr_to_sockaddr_in(sain, );
 
 		DPRINTF(("TI_BIND: fam %d, port %d, addr %x\n",
@@ -795,6 +804,9 @@ ti_bind(file_t *fp, int fd, struct svr4_
 		if (bnd.offs == 0)
 			goto reply;
 
+		if (ioc->len < sizeof(struct svr4_netaddr_un) ||
+		bnd.offs > ioc->len - sizeof(struct svr4_netaddr_un))
+			return EINVAL;
 		netaddr_to_sockaddr_un(saun, );
 
 		if (saun->sun_path[0] == '\0')
@@ -1412,7 +1424,8 @@ svr4_sys_putmsg(struct lwp *l, const str
 		goto out;
 	}
 
-	if (ctl.len > sizeof(sc)) {
+	if (ctl.len < offsetof(struct svr4_strmcmd, pad) ||
+	ctl.len > sizeof(sc)) {
 		DPRINTF(("putmsg: Bad control size %ld != %d\n",
 		(unsigned long)sizeof(struct svr4_strmcmd), ctl.len));
 		error = EINVAL;
@@ -1421,6 +1434,10 @@ svr4_sys_putmsg(struct lwp *l, const str
 
 	if ((error = copyin(NETBSD32PTR(ctl.buf), , ctl.len)) != 0)
 		goto out;
+	if (sc.offs < 0) {
+		error = EINVAL;
+		goto out;
+	}
 
 	switch (st->s_family) {
 	case AF_INET:
@@ -1723,8 +1740,16 @@ svr4_sys_getmsg(struct lwp *l, const str
 		if (ctl.len > sizeof(sc))
 			ctl.len = sizeof(sc);
 
+		if (ctl.len < offsetof(struct svr4_strmcmd, pad)) {
+			error = EINVAL;
+			goto out;
+		}
 		if ((error = copyin(NETBSD32PTR(ctl.buf), , ctl.len)) != 0)
 			goto out;
+		if (sc.offs < 0) {
+			error = EINVAL;
+			goto out;
+		}
 
 		msg.msg_name = NULL;
 		msg.msg_namelen = 0;

CVS commit: src/sys/dev

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 16:30:41 UTC 2017

Modified Files:
src/sys/dev: vnd.c

Log Message:
Appease toxic bullshit warning from gcc.

If you have a better way to write a useful bounds check that happens
to always pass on LP64 but doesn't always on LP32, without making it
fail to compile on LP64 or making it an #ifdef conditional on LP32,
please put it in here instead.


To generate a diff of this commit:
cvs rdiff -u -r1.261 -r1.262 src/sys/dev/vnd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/vnd.c
diff -u src/sys/dev/vnd.c:1.261 src/sys/dev/vnd.c:1.262
--- src/sys/dev/vnd.c:1.261	Fri Jul 28 16:22:01 2017
+++ src/sys/dev/vnd.c	Fri Jul 28 16:30:41 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vnd.c,v 1.261 2017/07/28 16:22:01 riastradh Exp $	*/
+/*	$NetBSD: vnd.c,v 1.262 2017/07/28 16:30:41 riastradh Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998, 2008 The NetBSD Foundation, Inc.
@@ -91,7 +91,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.261 2017/07/28 16:22:01 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.262 2017/07/28 16:30:41 riastradh Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_vnd.h"
@@ -1303,9 +1303,20 @@ vndioctl(dev_t dev, u_long cmd, void *da
 			}
 			KASSERT(0 < vnd->sc_comp_blksz);
 			KASSERT(0 < vnd->sc_comp_numoffs);
-			if ((SIZE_MAX/sizeof(uint64_t) <
-vnd->sc_comp_numoffs) ||
-			(vattr.va_size < sizeof(struct vnd_comp_header)) ||
+			/*
+			 * @#^@!$& gcc -Wtype-limits refuses to let me
+			 * write SIZE_MAX/sizeof(uint64_t) < numoffs,
+			 * because the range of the type on amd64 makes
+			 * the comparisons always false.
+			 */
+#if SIZE_MAX <= UINT32_MAX*(64/CHAR_BIT)
+			if (SIZE_MAX/sizeof(uint64_t) < vnd->sc_comp_numoffs) {
+VOP_UNLOCK(nd.ni_vp);
+error = EINVAL;
+goto close_and_exit;
+			}
+#endif
+			if ((vattr.va_size < sizeof(struct vnd_comp_header)) ||
 			(vattr.va_size - sizeof(struct vnd_comp_header) <
 sizeof(uint64_t)*vnd->sc_comp_numoffs) ||
 			(UQUAD_MAX/vnd->sc_comp_blksz <

CVS commit: src/sys/dev

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 16:22:01 UTC 2017

Modified Files:
src/sys/dev: vnd.c

Log Message:
Fix indentation.  u_intN_t -> uintN_t.  ntohl -> be32toh.

No functional change intended.


To generate a diff of this commit:
cvs rdiff -u -r1.260 -r1.261 src/sys/dev/vnd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/vnd.c
diff -u src/sys/dev/vnd.c:1.260 src/sys/dev/vnd.c:1.261
--- src/sys/dev/vnd.c:1.260	Fri Jul 28 16:19:20 2017
+++ src/sys/dev/vnd.c	Fri Jul 28 16:22:01 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vnd.c,v 1.260 2017/07/28 16:19:20 riastradh Exp $	*/
+/*	$NetBSD: vnd.c,v 1.261 2017/07/28 16:22:01 riastradh Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998, 2008 The NetBSD Foundation, Inc.
@@ -91,7 +91,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.260 2017/07/28 16:19:20 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.261 2017/07/28 16:22:01 riastradh Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_vnd.h"
@@ -1267,34 +1267,34 @@ vndioctl(dev_t dev, u_long cmd, void *da
 #ifdef VND_COMPRESSION
 			struct vnd_comp_header *ch;
 			int i;
-			u_int32_t comp_size;
-			u_int32_t comp_maxsize;
+			uint32_t comp_size;
+			uint32_t comp_maxsize;
 
 			/* allocate space for compresed file header */
 			ch = malloc(sizeof(struct vnd_comp_header),
-			M_TEMP, M_WAITOK);
+			M_TEMP, M_WAITOK);
 
 			/* read compressed file header */
 			error = vn_rdwr(UIO_READ, nd.ni_vp, (void *)ch,
-			  sizeof(struct vnd_comp_header), 0, UIO_SYSSPACE,
-			  IO_UNIT|IO_NODELOCKED, l->l_cred, NULL, NULL);
+			sizeof(struct vnd_comp_header), 0, UIO_SYSSPACE,
+			IO_UNIT|IO_NODELOCKED, l->l_cred, NULL, NULL);
 			if (error) {
 free(ch, M_TEMP);
 VOP_UNLOCK(nd.ni_vp);
 goto close_and_exit;
 			}
 
-			if (ntohl(ch->block_size) == 0 ||
-			ntohl(ch->num_blocks) > UINT32_MAX - 1) {
+			if (be32toh(ch->block_size) == 0 ||
+			be32toh(ch->num_blocks) > UINT32_MAX - 1) {
 free(ch, M_TEMP);
 VOP_UNLOCK(nd.ni_vp);
 goto close_and_exit;
 			}
 
 			/* save some header info */
-			vnd->sc_comp_blksz = ntohl(ch->block_size);
+			vnd->sc_comp_blksz = be32toh(ch->block_size);
 			/* note last offset is the file byte size */
-			vnd->sc_comp_numoffs = ntohl(ch->num_blocks)+1;
+			vnd->sc_comp_numoffs = be32toh(ch->num_blocks) + 1;
 			free(ch, M_TEMP);
 			if (!DK_DEV_BSIZE_OK(vnd->sc_comp_blksz)) {
 VOP_UNLOCK(nd.ni_vp);
@@ -1325,14 +1325,14 @@ vndioctl(dev_t dev, u_long cmd, void *da
 			/* allocate space for all the compressed offsets */
 			__CTASSERT(UINT32_MAX <= UQUAD_MAX/sizeof(uint64_t));
 			vnd->sc_comp_offsets =
-			malloc(sizeof(u_int64_t) * vnd->sc_comp_numoffs,
-			M_DEVBUF, M_WAITOK);
+			malloc(sizeof(uint64_t) * vnd->sc_comp_numoffs,
+M_DEVBUF, M_WAITOK);
 
 			/* read in the offsets */
 			error = vn_rdwr(UIO_READ, nd.ni_vp,
-			  (void *)vnd->sc_comp_offsets,
-			  sizeof(u_int64_t) * vnd->sc_comp_numoffs,
-			  sizeof(struct vnd_comp_header), UIO_SYSSPACE,
+			(void *)vnd->sc_comp_offsets,
+			sizeof(uint64_t) * vnd->sc_comp_numoffs,
+			sizeof(struct vnd_comp_header), UIO_SYSSPACE,
 			  IO_UNIT|IO_NODELOCKED, l->l_cred, NULL, NULL);
 			if (error) {
 VOP_UNLOCK(nd.ni_vp);
@@ -1345,22 +1345,24 @@ vndioctl(dev_t dev, u_long cmd, void *da
 			comp_maxsize = 0;
 			for (i = 0; i < vnd->sc_comp_numoffs - 1; i++) {
 vnd->sc_comp_offsets[i] =
-  be64toh(vnd->sc_comp_offsets[i]);
-comp_size = be64toh(vnd->sc_comp_offsets[i + 1])
-  - vnd->sc_comp_offsets[i];
+be64toh(vnd->sc_comp_offsets[i]);
+comp_size =
+be64toh(vnd->sc_comp_offsets[i + 1])
+- vnd->sc_comp_offsets[i];
 if (comp_size > comp_maxsize)
 	comp_maxsize = comp_size;
 			}
 			vnd->sc_comp_offsets[vnd->sc_comp_numoffs - 1] =
-			  be64toh(vnd->sc_comp_offsets[vnd->sc_comp_numoffs - 1]);
+			be64toh(vnd->sc_comp_offsets[vnd->sc_comp_numoffs
+- 1]);
 
 			/* create compressed data buffer */
 			vnd->sc_comp_buff = malloc(comp_maxsize,
-			  M_DEVBUF, M_WAITOK);
+			M_DEVBUF, M_WAITOK);
 
 			/* create decompressed buffer */
 			vnd->sc_comp_decombuf = malloc(vnd->sc_comp_blksz,
-			  M_DEVBUF, M_WAITOK);
+			M_DEVBUF, M_WAITOK);
 			vnd->sc_comp_buffblk = -1;
 
 			/* Initialize decompress stream */
@@ -1371,7 +1373,7 @@ vndioctl(dev_t dev, u_long cmd, void *da
 			if (error) {
 if (vnd->sc_comp_stream.msg)
 	printf("vnd%d: compressed file, %s\n",
-	  unit, vnd->sc_comp_stream.msg);
+	unit, vnd->sc_comp_stream.msg);
 VOP_UNLOCK(nd.ni_vp);
 error = EINVAL;
 goto close_and_exit;

CVS commit: src/sys/dev

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 16:19:20 UTC 2017

Modified Files:
src/sys/dev: vnd.c

Log Message:
Put in a litany of judicious bounds checks around vnd headers.

Thought I was done with this crap after I rewrote vndcompress(1)!

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.259 -r1.260 src/sys/dev/vnd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/vnd.c
diff -u src/sys/dev/vnd.c:1.259 src/sys/dev/vnd.c:1.260
--- src/sys/dev/vnd.c:1.259	Sat Mar 25 07:00:33 2017
+++ src/sys/dev/vnd.c	Fri Jul 28 16:19:20 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vnd.c,v 1.259 2017/03/25 07:00:33 pgoyette Exp $	*/
+/*	$NetBSD: vnd.c,v 1.260 2017/07/28 16:19:20 riastradh Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998, 2008 The NetBSD Foundation, Inc.
@@ -91,7 +91,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.259 2017/03/25 07:00:33 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.260 2017/07/28 16:19:20 riastradh Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_vnd.h"
@@ -1284,6 +1284,13 @@ vndioctl(dev_t dev, u_long cmd, void *da
 goto close_and_exit;
 			}
 
+			if (ntohl(ch->block_size) == 0 ||
+			ntohl(ch->num_blocks) > UINT32_MAX - 1) {
+free(ch, M_TEMP);
+VOP_UNLOCK(nd.ni_vp);
+goto close_and_exit;
+			}
+
 			/* save some header info */
 			vnd->sc_comp_blksz = ntohl(ch->block_size);
 			/* note last offset is the file byte size */
@@ -1294,20 +1301,29 @@ vndioctl(dev_t dev, u_long cmd, void *da
 error = EINVAL;
 goto close_and_exit;
 			}
-			if (sizeof(struct vnd_comp_header) +
-			  sizeof(u_int64_t) * vnd->sc_comp_numoffs >
-			  vattr.va_size) {
+			KASSERT(0 < vnd->sc_comp_blksz);
+			KASSERT(0 < vnd->sc_comp_numoffs);
+			if ((SIZE_MAX/sizeof(uint64_t) <
+vnd->sc_comp_numoffs) ||
+			(vattr.va_size < sizeof(struct vnd_comp_header)) ||
+			(vattr.va_size - sizeof(struct vnd_comp_header) <
+sizeof(uint64_t)*vnd->sc_comp_numoffs) ||
+			(UQUAD_MAX/vnd->sc_comp_blksz <
+vnd->sc_comp_numoffs - 1)) {
 VOP_UNLOCK(nd.ni_vp);
 error = EINVAL;
 goto close_and_exit;
 			}
 
 			/* set decompressed file size */
+			KASSERT(vnd->sc_comp_numoffs - 1 <=
+			UQUAD_MAX/vnd->sc_comp_blksz);
 			vattr.va_size =
 			((u_quad_t)vnd->sc_comp_numoffs - 1) *
 			 (u_quad_t)vnd->sc_comp_blksz;
 
 			/* allocate space for all the compressed offsets */
+			__CTASSERT(UINT32_MAX <= UQUAD_MAX/sizeof(uint64_t));
 			vnd->sc_comp_offsets =
 			malloc(sizeof(u_int64_t) * vnd->sc_comp_numoffs,
 			M_DEVBUF, M_WAITOK);

CVS commit: src/share/man/man4/man4.pmax

2017-07-28 Thread Thomas Klausner 
Module Name:src
Committed By:   wiz
Date:   Fri Jul 28 16:11:03 UTC 2017

Modified Files:
src/share/man/man4/man4.pmax: intro.4

Log Message:
New sentence, new line.


To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/share/man/man4/man4.pmax/intro.4

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/share/man/man4/man4.pmax/intro.4
diff -u src/share/man/man4/man4.pmax/intro.4:1.21 src/share/man/man4/man4.pmax/intro.4:1.22
--- src/share/man/man4/man4.pmax/intro.4:1.21	Fri Jul 28 15:58:24 2017
+++ src/share/man/man4/man4.pmax/intro.4	Fri Jul 28 16:11:03 2017
@@ -27,7 +27,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\"	$NetBSD: intro.4,v 1.21 2017/07/28 15:58:24 flxd Exp $
+.\"	$NetBSD: intro.4,v 1.22 2017/07/28 16:11:03 wiz Exp $
 .\"
 .Dd July 28, 2017
 .Dt INTRO 4 pmax
@@ -94,7 +94,8 @@ The following systems are supported:
 .Pp
 .Bl -tag -width speaker -offset indent -compact
 .It DECstation 2100 and 3100
-also known as "PMIN" and "PMAX". The 2100 and 3100 differ only in CPU clock
+also known as "PMIN" and "PMAX".
+The 2100 and 3100 differ only in CPU clock
 speed.
 .It DECsystem 5100
 also known as "MIPSMATE".

CVS commit: src/sys/arch/amd64/conf

2017-07-28 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Fri Jul 28 16:10:29 UTC 2017

Modified Files:
src/sys/arch/amd64/conf: GENERIC XEN3_DOM0 XEN3_DOMU

Log Message:
After a careful review, and all things considered, disable compat43 by
default on amd64. The use case is limited, the potential for damage too
high, and it is safer to run a BSD4.3 binary on i386 since the kernel does
not have to go through netbsd32 - which may not correctly reproduce i386.


To generate a diff of this commit:
cvs rdiff -u -r1.461 -r1.462 src/sys/arch/amd64/conf/GENERIC
cvs rdiff -u -r1.136 -r1.137 src/sys/arch/amd64/conf/XEN3_DOM0
cvs rdiff -u -r1.75 -r1.76 src/sys/arch/amd64/conf/XEN3_DOMU

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amd64/conf/GENERIC
diff -u src/sys/arch/amd64/conf/GENERIC:1.461 src/sys/arch/amd64/conf/GENERIC:1.462
--- src/sys/arch/amd64/conf/GENERIC:1.461	Sat Jul 22 13:03:54 2017
+++ src/sys/arch/amd64/conf/GENERIC	Fri Jul 28 16:10:28 2017
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC,v 1.461 2017/07/22 13:03:54 maxv Exp $
+# $NetBSD: GENERIC,v 1.462 2017/07/28 16:10:28 maxv Exp $
 #
 # GENERIC machine description file
 #
@@ -22,7 +22,7 @@ include 	"arch/amd64/conf/std.amd64"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident		"GENERIC-$Revision: 1.461 $"
+#ident		"GENERIC-$Revision: 1.462 $"
 
 maxusers	64		# estimated number of users
 
@@ -132,7 +132,7 @@ options 	COMPAT_40	# NetBSD 4.0,
 options 	COMPAT_50	# NetBSD 5.0,
 options 	COMPAT_60	# NetBSD 6.0, and
 options 	COMPAT_70	# NetBSD 7.0 binary compatibility.
-options 	COMPAT_43	# and 4.3BSD
+#options 	COMPAT_43	# and 4.3BSD
 #options 	COMPAT_386BSD_MBRPART # recognize old partition ID
 
 options 	COMPAT_OSSAUDIO

Index: src/sys/arch/amd64/conf/XEN3_DOM0
diff -u src/sys/arch/amd64/conf/XEN3_DOM0:1.136 src/sys/arch/amd64/conf/XEN3_DOM0:1.137
--- src/sys/arch/amd64/conf/XEN3_DOM0:1.136	Thu Jun 22 18:14:32 2017
+++ src/sys/arch/amd64/conf/XEN3_DOM0	Fri Jul 28 16:10:28 2017
@@ -1,4 +1,4 @@
-# $NetBSD: XEN3_DOM0,v 1.136 2017/06/22 18:14:32 khorben Exp $
+# $NetBSD: XEN3_DOM0,v 1.137 2017/07/28 16:10:28 maxv Exp $
 
 include 	"arch/amd64/conf/std.xen"
 
@@ -62,7 +62,7 @@ makeoptions	COPTS="-O2 -fno-omit-frame-p
 options DDB_COMMANDONENTER="trace;show registers"
 
 # Compatibility options
-options 	COMPAT_43	# 4.3BSD binary compatibility.
+#options 	COMPAT_43	# 4.3BSD binary compatibility.
 options 	COMPAT_15	# NetBSD 1.5,
 options 	COMPAT_16	# NetBSD 1.6,
 options 	COMPAT_20	# NetBSD 2.0,

Index: src/sys/arch/amd64/conf/XEN3_DOMU
diff -u src/sys/arch/amd64/conf/XEN3_DOMU:1.75 src/sys/arch/amd64/conf/XEN3_DOMU:1.76
--- src/sys/arch/amd64/conf/XEN3_DOMU:1.75	Sun May 21 06:19:37 2017
+++ src/sys/arch/amd64/conf/XEN3_DOMU	Fri Jul 28 16:10:28 2017
@@ -1,4 +1,4 @@
-# $NetBSD: XEN3_DOMU,v 1.75 2017/05/21 06:19:37 pgoyette Exp $
+# $NetBSD: XEN3_DOMU,v 1.76 2017/07/28 16:10:28 maxv Exp $
 
 include 	"arch/amd64/conf/std.xen"
 
@@ -54,7 +54,7 @@ makeoptions	COPTS="-O2 -fno-omit-frame-p
 options DDB_COMMANDONENTER="trace;show registers"
 
 # Compatibility options
-options 	COMPAT_43	# 4.3BSD binary compatibility.
+#options 	COMPAT_43	# 4.3BSD binary compatibility.
 options 	COMPAT_15	# NetBSD 1.5,
 options 	COMPAT_16	# NetBSD 1.6,
 options 	COMPAT_20	# NetBSD 2.0,
@@ -251,4 +251,3 @@ pseudo-device	nsmb			# experimental - SM
 
 # userland interface to drivers, including autoconf and properties retrieval
 pseudo-device	drvctl
-

CVS commit: src/share/man/man4/man4.pmax

2017-07-28 Thread Felix Deichmann 
Module Name:src
Committed By:   flxd
Date:   Fri Jul 28 15:58:24 UTC 2017

Modified Files:
src/share/man/man4/man4.pmax: intro.4 sii.4

Log Message:
* sii(4) was never used in VAXstation 3100 (uses si(4) and is NCR-based).
* Reference scsi(4) in sii(4).
* Add more machines to pmax/intro(4).
* Small fixes.


To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/share/man/man4/man4.pmax/intro.4
cvs rdiff -u -r1.13 -r1.14 src/share/man/man4/man4.pmax/sii.4

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/share/man/man4/man4.pmax/intro.4
diff -u src/share/man/man4/man4.pmax/intro.4:1.20 src/share/man/man4/man4.pmax/intro.4:1.21
--- src/share/man/man4/man4.pmax/intro.4:1.20	Tue Jul 25 08:30:45 2017
+++ src/share/man/man4/man4.pmax/intro.4	Fri Jul 28 15:58:24 2017
@@ -27,9 +27,9 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\"	$NetBSD: intro.4,v 1.20 2017/07/25 08:30:45 wiz Exp $
+.\"	$NetBSD: intro.4,v 1.21 2017/07/28 15:58:24 flxd Exp $
 .\"
-.Dd February 17, 2017
+.Dd July 28, 2017
 .Dt INTRO 4 pmax
 .Os
 .Sh NAME
@@ -94,7 +94,8 @@ The following systems are supported:
 .Pp
 .Bl -tag -width speaker -offset indent -compact
 .It DECstation 2100 and 3100
-also known as "pmax". The 2100 and 3100 differ only in CPU clock speed.
+also known as "PMIN" and "PMAX". The 2100 and 3100 differ only in CPU clock
+speed.
 .It DECsystem 5100
 also known as "MIPSMATE".
 .It DECstation 5000/200
@@ -107,9 +108,9 @@ The 5000/1xx comes in 20 MHz, 25 MHz, an
 numbered appropriately.
 Two 12.5 MHz
 TURBOchannel slots are provided.
-.It DECstation 5000/2x
+.It DECstation 5000/xx
 also known as "Personal DECstation" or "MAXINE".
-The 5000/xx comes in 20 MHz and 25 MHz variants.
+The 5000/xx comes in 20 MHz, 25 MHz, and 33 MHz variants.
 A baseboard 1024x786 framebuffer, and two 12.5 MHz TURBOchannel slots
 are provided.
 .It DECstation 5000/240 and DECsystem 5900
@@ -137,7 +138,7 @@ baseboard or PMAZ-AA SCSI option card.
 baseboard audio on 5000/xx systems.
 .It dz
 serial driver for DEC custom four-port serial device (dc7085 DZ-11 clone)
-on the baseboard of DECstation 2100/31000, 5100, and 5000/200 systems.
+on the baseboard of DECstation 2100/3100, 5100, and 5000/200 systems.
 .It zsc
 serial driver for Zilog SCC asynchronous/synchronous devices on the
 baseboard of DECstation 5000-series systems (excluding 5000/200).
@@ -152,7 +153,7 @@ if support for baseboard devices or the 
 Pseudo-device driver supporting glass-tty console emulation on DEC
 framebuffers, DEC mice, and LK-201 family keyboards.
 .It sii
-DEC custom SCSI adaptor on DECstation 2100, 3100, 5100, and VAXstation 3100.
+DEC custom SCSI adaptor on DECstation 2100, 3100, and 5100.
 .It pm
 DECstation 2100/3100 baseboard framebuffer
 .It tc

Index: src/share/man/man4/man4.pmax/sii.4
diff -u src/share/man/man4/man4.pmax/sii.4:1.13 src/share/man/man4/man4.pmax/sii.4:1.14
--- src/share/man/man4/man4.pmax/sii.4:1.13	Tue Jul 25 03:51:41 2017
+++ src/share/man/man4/man4.pmax/sii.4	Fri Jul 28 15:58:24 2017
@@ -27,9 +27,9 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\"	$NetBSD: sii.4,v 1.13 2017/07/25 03:51:41 ryoon Exp $
+.\"	$NetBSD: sii.4,v 1.14 2017/07/28 15:58:24 flxd Exp $
 .\"
-.Dd February 17, 2017
+.Dd July 28, 2017
 .Dt SII 4 pmax
 .Os
 .Sh NAME
@@ -45,7 +45,7 @@ The
 driver provides support for the
 .Tn DEC
 SII SCSI adaptor ASIC used in
-the DECstation 2100, 3100, and 5100, and in the VAXstation 3100.
+the DECstation 2100, 3100, and 5100.
 .Pp
 The
 .Nm
@@ -65,6 +65,7 @@ to and from the DMA region.
 .Xr ch 4 ,
 .Xr pmax/ibus 4 ,
 .Xr pmax/intro 4 ,
+.Xr scsi 4 ,
 .Xr sd 4 ,
 .Xr st 4
 .Sh HISTORY

CVS commit: src/sys/dev

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 15:52:53 UTC 2017

Modified Files:
src/sys/dev: vndvar.h

Log Message:
Tweak whitespace to make this definition more greppable.


To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.36 src/sys/dev/vndvar.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/vndvar.h
diff -u src/sys/dev/vndvar.h:1.35 src/sys/dev/vndvar.h:1.36
--- src/sys/dev/vndvar.h:1.35	Sun Sep  6 06:00:59 2015
+++ src/sys/dev/vndvar.h	Fri Jul 28 15:52:53 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vndvar.h,v 1.35 2015/09/06 06:00:59 dholland Exp $	*/
+/*	$NetBSD: vndvar.h,v 1.36 2017/07/28 15:52:53 riastradh Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998 The NetBSD Foundation, Inc.
@@ -147,8 +147,7 @@ struct vnd_softc {
 #define VNF_USE_VN_RDWR	0x1000	/* have to use vn_rdwr() */
 
 /* structure of header in a compressed file */
-struct vnd_comp_header
-{
+struct vnd_comp_header {
 	char preamble[128];
 	u_int32_t block_size;
 	u_int32_t num_blocks;

CVS commit: src/sys/compat/ibcs2

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 15:51:35 UTC 2017

Modified Files:
src/sys/compat/ibcs2: ibcs2_exec_coff.c

Log Message:
Make sure we move forward over the buffer.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 src/sys/compat/ibcs2/ibcs2_exec_coff.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/ibcs2/ibcs2_exec_coff.c
diff -u src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.28 src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.29
--- src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.28	Fri Jul 28 15:50:04 2017
+++ src/sys/compat/ibcs2/ibcs2_exec_coff.c	Fri Jul 28 15:51:35 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_exec_coff.c,v 1.28 2017/07/28 15:50:04 riastradh Exp $	*/
+/*	$NetBSD: ibcs2_exec_coff.c,v 1.29 2017/07/28 15:51:35 riastradh Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995, 1998 Scott Bartram
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.28 2017/07/28 15:50:04 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.29 2017/07/28 15:51:35 riastradh Exp $");
 
 #include 
 #include 
@@ -469,7 +469,8 @@ exec_ibcs2_coff_prep_zmagic(struct lwp *
 			/* path_index = slhdr->path_index * sizeof(long); */
 			entry_len = slhdr->entry_len * sizeof(long);
 
-			if (entry_len > len ||
+			if (entry_len < sizeof(struct coff_slhdr) ||
+			entry_len > len ||
 			strnlen(slhdr->sl_name, entry_len) == entry_len) {
 free(tbuf, M_TEMP);
 return ENOEXEC;

CVS commit: src/sys/compat/ibcs2

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 15:50:04 UTC 2017

Modified Files:
src/sys/compat/ibcs2: ibcs2_exec_coff.c

Log Message:
Make sure we have enough space in the buffer before reading it.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 src/sys/compat/ibcs2/ibcs2_exec_coff.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/ibcs2/ibcs2_exec_coff.c
diff -u src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.27 src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.28
--- src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.27	Fri Jul 28 15:47:23 2017
+++ src/sys/compat/ibcs2/ibcs2_exec_coff.c	Fri Jul 28 15:50:04 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_exec_coff.c,v 1.27 2017/07/28 15:47:23 riastradh Exp $	*/
+/*	$NetBSD: ibcs2_exec_coff.c,v 1.28 2017/07/28 15:50:04 riastradh Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995, 1998 Scott Bartram
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.27 2017/07/28 15:47:23 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.28 2017/07/28 15:50:04 riastradh Exp $");
 
 #include 
 #include 
@@ -454,6 +454,10 @@ exec_ibcs2_coff_prep_zmagic(struct lwp *
 		}
 		bufp = tbuf;
 		while (len) {
+			if (len < sizeof(struct coff_slhdr)) {
+free(tbuf, M_TEMP);
+return ENOEXEC;
+			}
 			slhdr = (struct coff_slhdr *)bufp;
 
 			if (slhdr->path_index > LONG_MAX / sizeof(long) ||

CVS commit: src/sys/compat/ibcs2

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 15:47:23 UTC 2017

Modified Files:
src/sys/compat/ibcs2: ibcs2_exec_coff.c

Log Message:
Check for NUL termination within the buffer we have.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 src/sys/compat/ibcs2/ibcs2_exec_coff.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/ibcs2/ibcs2_exec_coff.c
diff -u src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.26 src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.27
--- src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.26	Fri Oct 25 14:46:35 2013
+++ src/sys/compat/ibcs2/ibcs2_exec_coff.c	Fri Jul 28 15:47:23 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_exec_coff.c,v 1.26 2013/10/25 14:46:35 martin Exp $	*/
+/*	$NetBSD: ibcs2_exec_coff.c,v 1.27 2017/07/28 15:47:23 riastradh Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995, 1998 Scott Bartram
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.26 2013/10/25 14:46:35 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.27 2017/07/28 15:47:23 riastradh Exp $");
 
 #include 
 #include 
@@ -465,7 +465,8 @@ exec_ibcs2_coff_prep_zmagic(struct lwp *
 			/* path_index = slhdr->path_index * sizeof(long); */
 			entry_len = slhdr->entry_len * sizeof(long);
 
-			if (entry_len > len) {
+			if (entry_len > len ||
+			strnlen(slhdr->sl_name, entry_len) == entry_len) {
 free(tbuf, M_TEMP);
 return ENOEXEC;
 			}

CVS commit: src/sys/arch/amd64/conf

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 15:40:38 UTC 2017

Modified Files:
src/sys/arch/amd64/conf: ALL

Log Message:
Add some more bogus compat options to amd64/ALL for compile-testing.


To generate a diff of this commit:
cvs rdiff -u -r1.60 -r1.61 src/sys/arch/amd64/conf/ALL

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amd64/conf/ALL
diff -u src/sys/arch/amd64/conf/ALL:1.60 src/sys/arch/amd64/conf/ALL:1.61
--- src/sys/arch/amd64/conf/ALL:1.60	Wed Jun 14 09:00:07 2017
+++ src/sys/arch/amd64/conf/ALL	Fri Jul 28 15:40:38 2017
@@ -1,4 +1,4 @@
-# $NetBSD: ALL,v 1.60 2017/06/14 09:00:07 pgoyette Exp $
+# $NetBSD: ALL,v 1.61 2017/07/28 15:40:38 riastradh Exp $
 # From NetBSD: GENERIC,v 1.787 2006/10/01 18:37:54 bouyer Exp
 #
 # ALL machine description file
@@ -17,7 +17,7 @@ include 	"arch/amd64/conf/std.amd64"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident		"ALL-$Revision: 1.60 $"
+#ident		"ALL-$Revision: 1.61 $"
 
 maxusers	64		# estimated number of users
 
@@ -160,6 +160,11 @@ options 	COMPAT_IBCS2	# binary compatibi
 options 	COMPAT_FREEBSD	# binary compatibility with FreeBSD
 options 	COMPAT_NDIS	# NDIS network driver
 options 	COMPAT_BSDPTY	# /dev/[pt]ty?? ptys.
+options 	COMPAT_OSF1	# OSF1 binary compatibility
+#options 	COMPAT_SVR4	# SVR4 binary compatibility (no amd64)
+#options 	COMPAT_SVR4_32	# SVR4 32-bit binary compatibility (no amd64)
+options 	COMPAT_ULTRIX	# DEC Ultrix binary compatibility
+options 	COMPAT_SUNOS	# SunOS 4.x binary compatibility
 
 # Wedge support
 options 	DKWEDGE_AUTODISCOVER	# Automatically add dk(4) instances

CVS commit: src/sys/kern

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 15:37:23 UTC 2017

Modified Files:
src/sys/kern: vfs_getcwd.c

Log Message:
Don't walk off the end of the dirent buffer.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 src/sys/kern/vfs_getcwd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/vfs_getcwd.c
diff -u src/sys/kern/vfs_getcwd.c:1.51 src/sys/kern/vfs_getcwd.c:1.52
--- src/sys/kern/vfs_getcwd.c:1.51	Thu Jun  1 02:45:13 2017
+++ src/sys/kern/vfs_getcwd.c	Fri Jul 28 15:37:23 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_getcwd.c,v 1.51 2017/06/01 02:45:13 chs Exp $ */
+/* $NetBSD: vfs_getcwd.c,v 1.52 2017/07/28 15:37:23 riastradh Exp $ */
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.51 2017/06/01 02:45:13 chs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.52 2017/07/28 15:37:23 riastradh Exp $");
 
 #include 
 #include 
@@ -211,7 +211,8 @@ unionread:
 reclen = dp->d_reclen;
 
 /* check for malformed directory.. */
-if (reclen < _DIRENT_MINSIZE(dp)) {
+if (reclen < _DIRENT_MINSIZE(dp) ||
+reclen > len) {
 	error = EINVAL;
 	goto out;
 }

CVS commit: src/sys

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 15:34:07 UTC 2017

Modified Files:
src/sys/compat/common: vfs_syscalls_12.c vfs_syscalls_43.c
src/sys/compat/ibcs2: ibcs2_misc.c
src/sys/compat/linux/common: linux_file64.c linux_misc.c
src/sys/compat/linux32/common: linux32_dirent.c
src/sys/compat/osf1: osf1_file.c
src/sys/compat/sunos: sunos_misc.c
src/sys/compat/sunos32: sunos32_misc.c
src/sys/compat/svr4: svr4_misc.c
src/sys/compat/svr4_32: svr4_32_misc.c
src/sys/rump/kern/lib/libsys_sunos: rump_sunos_compat.c

Log Message:
Fail, don't panic, on bad dirents from file system.

Controllable via puffs from userland.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 src/sys/compat/common/vfs_syscalls_12.c
cvs rdiff -u -r1.59 -r1.60 src/sys/compat/common/vfs_syscalls_43.c
cvs rdiff -u -r1.113 -r1.114 src/sys/compat/ibcs2/ibcs2_misc.c
cvs rdiff -u -r1.58 -r1.59 src/sys/compat/linux/common/linux_file64.c
cvs rdiff -u -r1.238 -r1.239 src/sys/compat/linux/common/linux_misc.c
cvs rdiff -u -r1.17 -r1.18 src/sys/compat/linux32/common/linux32_dirent.c
cvs rdiff -u -r1.43 -r1.44 src/sys/compat/osf1/osf1_file.c
cvs rdiff -u -r1.170 -r1.171 src/sys/compat/sunos/sunos_misc.c
cvs rdiff -u -r1.77 -r1.78 src/sys/compat/sunos32/sunos32_misc.c
cvs rdiff -u -r1.157 -r1.158 src/sys/compat/svr4/svr4_misc.c
cvs rdiff -u -r1.77 -r1.78 src/sys/compat/svr4_32/svr4_32_misc.c
cvs rdiff -u -r1.1 -r1.2 \
src/sys/rump/kern/lib/libsys_sunos/rump_sunos_compat.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/common/vfs_syscalls_12.c
diff -u src/sys/compat/common/vfs_syscalls_12.c:1.33 src/sys/compat/common/vfs_syscalls_12.c:1.34
--- src/sys/compat/common/vfs_syscalls_12.c:1.33	Fri Jan 13 22:29:59 2017
+++ src/sys/compat/common/vfs_syscalls_12.c	Fri Jul 28 15:34:06 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_12.c,v 1.33 2017/01/13 22:29:59 christos Exp $	*/
+/*	$NetBSD: vfs_syscalls_12.c,v 1.34 2017/07/28 15:34:06 riastradh Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.33 2017/01/13 22:29:59 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.34 2017/07/28 15:34:06 riastradh Exp $");
 
 #include 
 #include 
@@ -171,8 +171,10 @@ again:
 	for (cookie = cookiebuf; len > 0; len -= reclen) {
 		bdp = (struct dirent *)inp;
 		reclen = bdp->d_reclen;
-		if (reclen & 3)
-			panic(__func__);
+		if (reclen & 3) {
+			error = EIO;
+			goto out;
+		}
 		if (bdp->d_fileno == 0) {
 			inp += reclen;	/* it is a hole; squish it out */
 			if (cookie)

Index: src/sys/compat/common/vfs_syscalls_43.c
diff -u src/sys/compat/common/vfs_syscalls_43.c:1.59 src/sys/compat/common/vfs_syscalls_43.c:1.60
--- src/sys/compat/common/vfs_syscalls_43.c:1.59	Fri Jan 13 20:25:35 2017
+++ src/sys/compat/common/vfs_syscalls_43.c	Fri Jul 28 15:34:06 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_43.c,v 1.59 2017/01/13 20:25:35 christos Exp $	*/
+/*	$NetBSD: vfs_syscalls_43.c,v 1.60 2017/07/28 15:34:06 riastradh Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.59 2017/01/13 20:25:35 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.60 2017/07/28 15:34:06 riastradh Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -451,8 +451,10 @@ again:
 	for (cookie = cookiebuf; len > 0; len -= reclen) {
 		bdp = (struct dirent *)inp;
 		reclen = bdp->d_reclen;
-		if (reclen & 3)
-			panic(__func__);
+		if (reclen & 3) {
+			error = EIO;
+			goto out;
+		}
 		if (bdp->d_fileno == 0) {
 			inp += reclen;	/* it is a hole; squish it out */
 			if (cookie)

Index: src/sys/compat/ibcs2/ibcs2_misc.c
diff -u src/sys/compat/ibcs2/ibcs2_misc.c:1.113 src/sys/compat/ibcs2/ibcs2_misc.c:1.114
--- src/sys/compat/ibcs2/ibcs2_misc.c:1.113	Fri Sep  5 09:21:54 2014
+++ src/sys/compat/ibcs2/ibcs2_misc.c	Fri Jul 28 15:34:06 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_misc.c,v 1.113 2014/09/05 09:21:54 matt Exp $	*/
+/*	$NetBSD: ibcs2_misc.c,v 1.114 2017/07/28 15:34:06 riastradh Exp $	*/
 
 /*
  * Copyright (c) 1992, 1993
@@ -95,7 +95,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_misc.c,v 1.113 2014/09/05 09:21:54 matt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_misc.c,v 1.114 2017/07/28 15:34:06 riastradh Exp $");
 
 #include 
 #include 
@@ -427,8 +427,10 @@ again:
 	for (cookie = cookiebuf; len > 0; len -= reclen) {
 		bdp = (struct dirent *)inp;
 		reclen = bdp->d_reclen;
-		if (reclen & 3)
-			panic("ibcs2_getdents: bad reclen");
+		if (reclen & 3) {
+			error = EIO;
+			goto out;
+		}
 		if (cookie && (*cookie >> 32) != 0) {
 			compat_offseterr(vp, "ibcs2_getdents");
 			error = EINVAL;

Index:

CVS commit: src/sys/kern

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 15:16:39 UTC 2017

Modified Files:
src/sys/kern: kern_ktrace.c

Log Message:
Clamp the length we use, not the length we don't.

Avoids uninitialized memory disclosure to userland.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.170 -r1.171 src/sys/kern/kern_ktrace.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/kern_ktrace.c
diff -u src/sys/kern/kern_ktrace.c:1.170 src/sys/kern/kern_ktrace.c:1.171
--- src/sys/kern/kern_ktrace.c:1.170	Thu Jun  1 02:45:13 2017
+++ src/sys/kern/kern_ktrace.c	Fri Jul 28 15:16:39 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_ktrace.c,v 1.170 2017/06/01 02:45:13 chs Exp $	*/
+/*	$NetBSD: kern_ktrace.c,v 1.171 2017/07/28 15:16:39 riastradh Exp $	*/
 
 /*-
  * Copyright (c) 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -61,7 +61,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.170 2017/06/01 02:45:13 chs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.171 2017/07/28 15:16:39 riastradh Exp $");
 
 #include 
 #include 
@@ -926,7 +926,7 @@ ktruser(const char *id, void *addr, size
 
 	user_dta = (void *)(ktp + 1);
 	if ((error = copyin(addr, user_dta, len)) != 0)
-		len = 0;
+		kte->kte_kth.ktr_len = 0;
 
 	ktraddentry(l, kte, KTA_WAITOK);
 	return error;

CVS commit: src/sys/dev/ic

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 15:02:52 UTC 2017

Modified Files:
src/sys/dev/ic: isp_netbsd.c

Log Message:
Reject out-of-bounds channel index.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.88 -r1.89 src/sys/dev/ic/isp_netbsd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/isp_netbsd.c
diff -u src/sys/dev/ic/isp_netbsd.c:1.88 src/sys/dev/ic/isp_netbsd.c:1.89
--- src/sys/dev/ic/isp_netbsd.c:1.88	Wed Dec 31 17:10:45 2014
+++ src/sys/dev/ic/isp_netbsd.c	Fri Jul 28 15:02:52 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: isp_netbsd.c,v 1.88 2014/12/31 17:10:45 christos Exp $ */
+/* $NetBSD: isp_netbsd.c,v 1.89 2017/07/28 15:02:52 riastradh Exp $ */
 /*
  * Platform (NetBSD) dependent common attachment code for Qlogic adapters.
  */
@@ -33,7 +33,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.88 2014/12/31 17:10:45 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.89 2017/07/28 15:02:52 riastradh Exp $");
 
 #include 
 #include 
@@ -475,6 +475,10 @@ ispioctl(struct scsipi_channel *chan, u_
 		}
 		lim = local.count;
 		channel = local.channel;
+		if (channel >= isp->isp_nchan) {
+			retval = EINVAL;
+			break;
+		}
 
 		ua = *(isp_dlist_t **)addr;
 		uptr = >wwns[0];

CVS commit: src/sys/dev/ic

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 14:49:55 UTC 2017

Modified Files:
src/sys/dev/ic: ciss.c

Log Message:
Reject negative indices from userland.


To generate a diff of this commit:
cvs rdiff -u -r1.36 -r1.37 src/sys/dev/ic/ciss.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/ciss.c
diff -u src/sys/dev/ic/ciss.c:1.36 src/sys/dev/ic/ciss.c:1.37
--- src/sys/dev/ic/ciss.c:1.36	Thu Jul 14 04:00:45 2016
+++ src/sys/dev/ic/ciss.c	Fri Jul 28 14:49:55 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ciss.c,v 1.36 2016/07/14 04:00:45 msaitoh Exp $	*/
+/*	$NetBSD: ciss.c,v 1.37 2017/07/28 14:49:55 riastradh Exp $	*/
 /*	$OpenBSD: ciss.c,v 1.68 2013/05/30 16:15:02 deraadt Exp $	*/
 
 /*
@@ -19,7 +19,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.36 2016/07/14 04:00:45 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.37 2017/07/28 14:49:55 riastradh Exp $");
 
 #include "bio.h"
 
@@ -1299,12 +1299,12 @@ ciss_ioctl(device_t dev, u_long cmd, voi
 		/* FALLTHROUGH */
 	case BIOCDISK:
 		bd = (struct bioc_disk *)addr;
-		if (bd->bd_volid > sc->maxunits) {
+		if (bd->bd_volid < 0 || bd->bd_volid > sc->maxunits) {
 			error = EINVAL;
 			break;
 		}
 		ldp = sc->sc_lds[0];
-		if (!ldp || (pd = bd->bd_diskid) > ldp->ndrives) {
+		if (!ldp || (pd = bd->bd_diskid) < 0 || pd > ldp->ndrives) {
 			error = EINVAL;
 			break;
 		}
@@ -1405,7 +1405,7 @@ ciss_ioctl_vol(struct ciss_softc *sc, st
 	int error = 0;
 	u_int blks;
 
-	if (bv->bv_volid > sc->maxunits) {
+	if (bv->bv_volid < 0 || bv->bv_volid > sc->maxunits) {
 		return EINVAL;
 	}
 	ldp = sc->sc_lds[bv->bv_volid];

CVS commit: src/sys/netsmb

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 14:45:59 UTC 2017

Modified Files:
src/sys/netsmb: smb_dev.c

Log Message:
Reject negative offset/count for smb read/write.

Not clear that this is actually a problem for the kernel -- might
overwrite user's buffers or return garbage to user, but that's their
own damn fault.  But it's hard to imagine that negative offset/count
ever makes sense, and I haven't ruled out a problem for the kernel.


To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 src/sys/netsmb/smb_dev.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netsmb/smb_dev.c
diff -u src/sys/netsmb/smb_dev.c:1.49 src/sys/netsmb/smb_dev.c:1.50
--- src/sys/netsmb/smb_dev.c:1.49	Mon Jul 18 21:03:01 2016
+++ src/sys/netsmb/smb_dev.c	Fri Jul 28 14:45:59 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_dev.c,v 1.49 2016/07/18 21:03:01 pgoyette Exp $	*/
+/*	$NetBSD: smb_dev.c,v 1.50 2017/07/28 14:45:59 riastradh Exp $	*/
 
 /*
  * Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: smb_dev.c,v 1.49 2016/07/18 21:03:01 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_dev.c,v 1.50 2017/07/28 14:45:59 riastradh Exp $");
 
 #include 
 #include 
@@ -345,6 +345,8 @@ nsmb_dev_ioctl(dev_t dev, u_long cmd, vo
 		struct uio auio;
 		struct iovec iov;
 
+		if (rwrq->ioc_cnt < 0 || rwrq->ioc_offset < 0)
+			return EINVAL;
 		if ((ssp = sdp->sd_share) == NULL)
 			return ENOTCONN;
 		iov.iov_base = rwrq->ioc_base;

CVS commit: src/sys/netsmb

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 14:40:42 UTC 2017

Modified Files:
src/sys/netsmb: smb_usr.c

Log Message:
Reject negative ioc_setupcnt.


To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.19 src/sys/netsmb/smb_usr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netsmb/smb_usr.c
diff -u src/sys/netsmb/smb_usr.c:1.18 src/sys/netsmb/smb_usr.c:1.19
--- src/sys/netsmb/smb_usr.c:1.18	Fri Jul 28 14:37:27 2017
+++ src/sys/netsmb/smb_usr.c	Fri Jul 28 14:40:42 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_usr.c,v 1.18 2017/07/28 14:37:27 riastradh Exp $	*/
+/*	$NetBSD: smb_usr.c,v 1.19 2017/07/28 14:40:42 riastradh Exp $	*/
 
 /*
  * Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: smb_usr.c,v 1.18 2017/07/28 14:37:27 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_usr.c,v 1.19 2017/07/28 14:40:42 riastradh Exp $");
 
 #include 
 #include 
@@ -300,7 +300,7 @@ smb_usr_t2request(struct smb_share *ssp,
 	struct mdchain *mdp;
 	int error, len;
 
-	if (dp->ioc_setupcnt > 3)
+	if (dp->ioc_setupcnt < 0 || dp->ioc_setupcnt > 3)
 		return EINVAL;
 	error = smb_t2_alloc(SSTOCP(ssp), dp->ioc_setup[0], scred, );
 	if (error)

CVS commit: src/sys/netsmb

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 14:37:27 UTC 2017

Modified Files:
src/sys/netsmb: smb_subr.c smb_subr.h smb_usr.c

Log Message:
Plug another overflow: refuse bogus sa_len from user.


To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 src/sys/netsmb/smb_subr.c
cvs rdiff -u -r1.21 -r1.22 src/sys/netsmb/smb_subr.h
cvs rdiff -u -r1.17 -r1.18 src/sys/netsmb/smb_usr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netsmb/smb_subr.c
diff -u src/sys/netsmb/smb_subr.c:1.37 src/sys/netsmb/smb_subr.c:1.38
--- src/sys/netsmb/smb_subr.c:1.37	Sat Nov 15 18:52:45 2014
+++ src/sys/netsmb/smb_subr.c	Fri Jul 28 14:37:27 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_subr.c,v 1.37 2014/11/15 18:52:45 nakayama Exp $	*/
+/*	$NetBSD: smb_subr.c,v 1.38 2017/07/28 14:37:27 riastradh Exp $	*/
 
 /*
  * Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.37 2014/11/15 18:52:45 nakayama Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.38 2017/07/28 14:37:27 riastradh Exp $");
 
 #include 
 #include 
@@ -380,3 +380,32 @@ dup_sockaddr(struct sockaddr *sa, int ca
 		memcpy(sa2, sa, sa->sa_len);
 	return sa2;
 }
+
+int
+dup_sockaddr_copyin(struct sockaddr **ksap, struct sockaddr *usa,
+size_t usalen)
+{
+	struct sockaddr *ksa;
+
+	/* Make sure user provided enough data for a generic sockaddr.  */
+	if (usalen < sizeof(*ksa))
+		return EINVAL;
+
+	/* Don't let the user overfeed us.  */
+	usalen = MIN(usalen, sizeof(struct sockaddr_storage));
+
+	/* Copy the buffer in from userland.  */
+	ksa = smb_memdupin(usa, usalen);
+	if (ksa == NULL)
+		return ENOMEM;
+
+	/* Make sure the user's idea of sa_len is reasonable.  */
+	if (ksa->sa_len > usalen) {
+		smb_memfree(ksa);
+		return EINVAL;
+	}
+
+	/* Success!  */
+	*ksap = ksa;
+	return 0;
+}

Index: src/sys/netsmb/smb_subr.h
diff -u src/sys/netsmb/smb_subr.h:1.21 src/sys/netsmb/smb_subr.h:1.22
--- src/sys/netsmb/smb_subr.h:1.21	Tue Mar 13 18:41:01 2012
+++ src/sys/netsmb/smb_subr.h	Fri Jul 28 14:37:27 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_subr.h,v 1.21 2012/03/13 18:41:01 elad Exp $	*/
+/*	$NetBSD: smb_subr.h,v 1.22 2017/07/28 14:37:27 riastradh Exp $	*/
 
 /*
  * Copyright (c) 2000-2001, Boris Popov
@@ -128,5 +128,6 @@ int  smb_put_asunistring(struct smb_rq *
 #endif
 
 struct sockaddr *dup_sockaddr(struct sockaddr *, int);
+int dup_sockaddr_copyin(struct sockaddr **, struct sockaddr *, size_t);
 
 #endif /* !_NETSMB_SMB_SUBR_H_ */

Index: src/sys/netsmb/smb_usr.c
diff -u src/sys/netsmb/smb_usr.c:1.17 src/sys/netsmb/smb_usr.c:1.18
--- src/sys/netsmb/smb_usr.c:1.17	Fri Jul 28 14:20:46 2017
+++ src/sys/netsmb/smb_usr.c	Fri Jul 28 14:37:27 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_usr.c,v 1.17 2017/07/28 14:20:46 riastradh Exp $	*/
+/*	$NetBSD: smb_usr.c,v 1.18 2017/07/28 14:37:27 riastradh Exp $	*/
 
 /*
  * Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: smb_usr.c,v 1.17 2017/07/28 14:20:46 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_usr.c,v 1.18 2017/07/28 14:37:27 riastradh Exp $");
 
 #include 
 #include 
@@ -65,6 +65,7 @@ static int
 smb_usr_vc2spec(struct smbioc_ossn *dp, struct smb_vcspec *spec)
 {
 	int flags = 0;
+	int error;
 
 	memset(spec, 0, sizeof(*spec));
 	if (dp->ioc_user[0] == 0)
@@ -75,21 +76,16 @@ smb_usr_vc2spec(struct smbioc_ossn *dp, 
 		SMBERROR(("no local charset ?\n"));
 		return EINVAL;
 	}
-	if (dp->ioc_svlen < sizeof(*spec->sap))
-		return EINVAL;
 
-	spec->sap = smb_memdupin(dp->ioc_server, dp->ioc_svlen);
-	if (spec->sap == NULL)
-		return ENOMEM;
+	error = dup_sockaddr_copyin(>sap, dp->ioc_server, dp->ioc_svlen);
+	if (error)
+		return error;
 	if (dp->ioc_local) {
-		if (dp->ioc_lolen < sizeof(*spec->lap)) {
-			smb_usr_vcspec_free(spec);
-			return ENOMEM;
-		}
-		spec->lap = smb_memdupin(dp->ioc_local, dp->ioc_lolen);
-		if (spec->lap == NULL) {
+		error = dup_sockaddr_copyin(>lap, dp->ioc_local,
+		dp->ioc_lolen);
+		if (error) {
 			smb_usr_vcspec_free(spec);
-			return ENOMEM;
+			return error;
 		}
 	}
 	spec->srvname = dp->ioc_srvname;

CVS commit: src/sys/arch/x86/pci

2017-07-28 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Fri Jul 28 14:26:51 UTC 2017

Modified Files:
src/sys/arch/x86/pci: msipic.c pci_addr_fixup.c pci_intr_machdep.c
pci_msi_machdep.c

Log Message:
Don't include malloc.h.


To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/sys/arch/x86/pci/msipic.c
cvs rdiff -u -r1.9 -r1.10 src/sys/arch/x86/pci/pci_addr_fixup.c
cvs rdiff -u -r1.40 -r1.41 src/sys/arch/x86/pci/pci_intr_machdep.c
cvs rdiff -u -r1.12 -r1.13 src/sys/arch/x86/pci/pci_msi_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/x86/pci/msipic.c
diff -u src/sys/arch/x86/pci/msipic.c:1.10 src/sys/arch/x86/pci/msipic.c:1.11
--- src/sys/arch/x86/pci/msipic.c:1.10	Thu Jun  1 02:45:08 2017
+++ src/sys/arch/x86/pci/msipic.c	Fri Jul 28 14:26:50 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: msipic.c,v 1.10 2017/06/01 02:45:08 chs Exp $	*/
+/*	$NetBSD: msipic.c,v 1.11 2017/07/28 14:26:50 maxv Exp $	*/
 
 /*
  * Copyright (c) 2015 Internet Initiative Japan Inc.
@@ -27,7 +27,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: msipic.c,v 1.10 2017/06/01 02:45:08 chs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: msipic.c,v 1.11 2017/07/28 14:26:50 maxv Exp $");
 
 #include "opt_intrdebug.h"
 
@@ -36,7 +36,6 @@ __KERNEL_RCSID(0, "$NetBSD: msipic.c,v 1
 #include 
 #include 
 #include 
-#include 
 #include 
 
 #include 

Index: src/sys/arch/x86/pci/pci_addr_fixup.c
diff -u src/sys/arch/x86/pci/pci_addr_fixup.c:1.9 src/sys/arch/x86/pci/pci_addr_fixup.c:1.10
--- src/sys/arch/x86/pci/pci_addr_fixup.c:1.9	Fri Jan 27 18:53:06 2012
+++ src/sys/arch/x86/pci/pci_addr_fixup.c	Fri Jul 28 14:26:50 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pci_addr_fixup.c,v 1.9 2012/01/27 18:53:06 para Exp $	*/
+/*	$NetBSD: pci_addr_fixup.c,v 1.10 2017/07/28 14:26:50 maxv Exp $	*/
 
 /*-
  * Copyright (c) 2000 UCHIYAMA Yasushi.  All rights reserved.
@@ -27,11 +27,10 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: pci_addr_fixup.c,v 1.9 2012/01/27 18:53:06 para Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pci_addr_fixup.c,v 1.10 2017/07/28 14:26:50 maxv Exp $");
 
 #include 
 #include 
-#include 
 #include 
 #include 
 #include 

Index: src/sys/arch/x86/pci/pci_intr_machdep.c
diff -u src/sys/arch/x86/pci/pci_intr_machdep.c:1.40 src/sys/arch/x86/pci/pci_intr_machdep.c:1.41
--- src/sys/arch/x86/pci/pci_intr_machdep.c:1.40	Thu Jun  1 02:45:08 2017
+++ src/sys/arch/x86/pci/pci_intr_machdep.c	Fri Jul 28 14:26:50 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pci_intr_machdep.c,v 1.40 2017/06/01 02:45:08 chs Exp $	*/
+/*	$NetBSD: pci_intr_machdep.c,v 1.41 2017/07/28 14:26:50 maxv Exp $	*/
 
 /*-
  * Copyright (c) 1997, 1998, 2009 The NetBSD Foundation, Inc.
@@ -73,7 +73,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: pci_intr_machdep.c,v 1.40 2017/06/01 02:45:08 chs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pci_intr_machdep.c,v 1.41 2017/07/28 14:26:50 maxv Exp $");
 
 #include 
 #include 
@@ -84,7 +84,6 @@ __KERNEL_RCSID(0, "$NetBSD: pci_intr_mac
 #include 
 #include 
 #include 
-#include 
 
 #include 
 

Index: src/sys/arch/x86/pci/pci_msi_machdep.c
diff -u src/sys/arch/x86/pci/pci_msi_machdep.c:1.12 src/sys/arch/x86/pci/pci_msi_machdep.c:1.13
--- src/sys/arch/x86/pci/pci_msi_machdep.c:1.12	Thu Jun  1 02:45:08 2017
+++ src/sys/arch/x86/pci/pci_msi_machdep.c	Fri Jul 28 14:26:50 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pci_msi_machdep.c,v 1.12 2017/06/01 02:45:08 chs Exp $	*/
+/*	$NetBSD: pci_msi_machdep.c,v 1.13 2017/07/28 14:26:50 maxv Exp $	*/
 
 /*
  * Copyright (c) 2015 Internet Initiative Japan Inc.
@@ -34,7 +34,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: pci_msi_machdep.c,v 1.12 2017/06/01 02:45:08 chs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pci_msi_machdep.c,v 1.13 2017/07/28 14:26:50 maxv Exp $");
 
 #include "opt_intrdebug.h"
 #include "ioapic.h"
@@ -48,7 +48,6 @@ __KERNEL_RCSID(0, "$NetBSD: pci_msi_mach
 #include 
 #include 
 #include 
-#include 
 
 #include

CVS commit: src/sys/netsmb

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 14:20:46 UTC 2017

Modified Files:
src/sys/netsmb: smb_usr.c

Log Message:
Reject allocations for too-small buffers from userland.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.17 src/sys/netsmb/smb_usr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netsmb/smb_usr.c
diff -u src/sys/netsmb/smb_usr.c:1.16 src/sys/netsmb/smb_usr.c:1.17
--- src/sys/netsmb/smb_usr.c:1.16	Wed Mar 18 16:00:24 2009
+++ src/sys/netsmb/smb_usr.c	Fri Jul 28 14:20:46 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_usr.c,v 1.16 2009/03/18 16:00:24 cegger Exp $	*/
+/*	$NetBSD: smb_usr.c,v 1.17 2017/07/28 14:20:46 riastradh Exp $	*/
 
 /*
  * Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: smb_usr.c,v 1.16 2009/03/18 16:00:24 cegger Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_usr.c,v 1.17 2017/07/28 14:20:46 riastradh Exp $");
 
 #include 
 #include 
@@ -75,11 +75,17 @@ smb_usr_vc2spec(struct smbioc_ossn *dp, 
 		SMBERROR(("no local charset ?\n"));
 		return EINVAL;
 	}
+	if (dp->ioc_svlen < sizeof(*spec->sap))
+		return EINVAL;
 
 	spec->sap = smb_memdupin(dp->ioc_server, dp->ioc_svlen);
 	if (spec->sap == NULL)
 		return ENOMEM;
 	if (dp->ioc_local) {
+		if (dp->ioc_lolen < sizeof(*spec->lap)) {
+			smb_usr_vcspec_free(spec);
+			return ENOMEM;
+		}
 		spec->lap = smb_memdupin(dp->ioc_local, dp->ioc_lolen);
 		if (spec->lap == NULL) {
 			smb_usr_vcspec_free(spec);

CVS commit: src/sys/opencrypto

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 14:16:29 UTC 2017

Modified Files:
src/sys/opencrypto: ocryptodev.c

Log Message:
Avert userland-controlled integer overflow.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 src/sys/opencrypto/ocryptodev.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/opencrypto/ocryptodev.c
diff -u src/sys/opencrypto/ocryptodev.c:1.9 src/sys/opencrypto/ocryptodev.c:1.10
--- src/sys/opencrypto/ocryptodev.c:1.9	Fri Jul 28 14:13:56 2017
+++ src/sys/opencrypto/ocryptodev.c	Fri Jul 28 14:16:29 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ocryptodev.c,v 1.9 2017/07/28 14:13:56 riastradh Exp $ */
+/*	$NetBSD: ocryptodev.c,v 1.10 2017/07/28 14:16:29 riastradh Exp $ */
 /*	$FreeBSD: src/sys/opencrypto/cryptodev.c,v 1.4.2.4 2003/06/03 00:09:02 sam Exp $	*/
 /*	$OpenBSD: cryptodev.c,v 1.53 2002/07/10 22:21:30 mickey Exp $	*/
 
@@ -69,7 +69,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ocryptodev.c,v 1.9 2017/07/28 14:13:56 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ocryptodev.c,v 1.10 2017/07/28 14:16:29 riastradh Exp $");
 
 #include 
 #include 
@@ -159,6 +159,11 @@ mbail:
 		break;
 	case OCIOCNCRYPTM:
 		omop = (struct ocrypt_mop *)data;
+		if ((omop->count <= 0) ||
+		(SIZE_MAX/sizeof(struct ocrypt_n_op) <= omop->count)) {
+			error = EINVAL;
+			break;
+		}
 		ocnop = kmem_alloc((omop->count * sizeof(struct ocrypt_n_op)),
 		KM_SLEEP);
 		error = copyin(omop->reqs, ocnop,

CVS commit: src/sys/opencrypto

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 14:13:56 UTC 2017

Modified Files:
src/sys/opencrypto: ocryptodev.c

Log Message:
Don't disclose uninitialized 32-bit word if cryptodev_session fails.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/sys/opencrypto/ocryptodev.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/opencrypto/ocryptodev.c
diff -u src/sys/opencrypto/ocryptodev.c:1.8 src/sys/opencrypto/ocryptodev.c:1.9
--- src/sys/opencrypto/ocryptodev.c:1.8	Fri Jun  2 09:46:57 2017
+++ src/sys/opencrypto/ocryptodev.c	Fri Jul 28 14:13:56 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ocryptodev.c,v 1.8 2017/06/02 09:46:57 knakahara Exp $ */
+/*	$NetBSD: ocryptodev.c,v 1.9 2017/07/28 14:13:56 riastradh Exp $ */
 /*	$FreeBSD: src/sys/opencrypto/cryptodev.c,v 1.4.2.4 2003/06/03 00:09:02 sam Exp $	*/
 /*	$OpenBSD: cryptodev.c,v 1.53 2002/07/10 22:21:30 mickey Exp $	*/
 
@@ -69,7 +69,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ocryptodev.c,v 1.8 2017/06/02 09:46:57 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ocryptodev.c,v 1.9 2017/07/28 14:13:56 riastradh Exp $");
 
 #include 
 #include 
@@ -245,8 +245,10 @@ ocryptodev_session(struct fcrypt *fcr, s
 	sop.mackeylen = osop->mackeylen;
 	sop.mackey = osop->mackey;
 	res = cryptodev_session(fcr, );
+	if (res)
+		return res;
 	osop->ses = sop.ses;
-	return res;
+	return 0;
 
 }

CVS commit: src/sys/arch/i386/conf

2017-07-28 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Fri Jul 28 14:13:13 UTC 2017

Modified Files:
src/sys/arch/i386/conf: GENERIC XEN3_DOM0 XEN3_DOMU

Log Message:
Disable svr4 and ibcs2 by default.

These options are not well-tested, of a limited use case, and the potential
for damage is too high. Vulnerabilities were presented at DEFCON 25 - I see
that at least one of them can be exploited to get ring0 privileges.


To generate a diff of this commit:
cvs rdiff -u -r1.1158 -r1.1159 src/sys/arch/i386/conf/GENERIC
cvs rdiff -u -r1.113 -r1.114 src/sys/arch/i386/conf/XEN3_DOM0
cvs rdiff -u -r1.77 -r1.78 src/sys/arch/i386/conf/XEN3_DOMU

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/i386/conf/GENERIC
diff -u src/sys/arch/i386/conf/GENERIC:1.1158 src/sys/arch/i386/conf/GENERIC:1.1159
--- src/sys/arch/i386/conf/GENERIC:1.1158	Fri Jul 28 13:59:07 2017
+++ src/sys/arch/i386/conf/GENERIC	Fri Jul 28 14:13:13 2017
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC,v 1.1158 2017/07/28 13:59:07 maxv Exp $
+# $NetBSD: GENERIC,v 1.1159 2017/07/28 14:13:13 maxv Exp $
 #
 # GENERIC machine description file
 #
@@ -22,7 +22,7 @@ include 	"arch/i386/conf/std.i386"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident		"GENERIC-$Revision: 1.1158 $"
+#ident		"GENERIC-$Revision: 1.1159 $"
 
 maxusers	64		# estimated number of users
 
@@ -144,8 +144,8 @@ options 	COMPAT_43	# 4.3BSD, 386BSD, and
 #options 	TCP_COMPAT_42	# 4.2BSD TCP/IP bug compat. Not recommended.
 
 options 	COMPAT_OSSAUDIO	# OSS (Voxware) audio driver compatibility
-options 	COMPAT_SVR4	# binary compatibility with SVR4
-options 	COMPAT_IBCS2	# binary compatibility with SCO and ISC
+#options 	COMPAT_SVR4	# binary compatibility with SVR4
+#options 	COMPAT_IBCS2	# binary compatibility with SCO and ISC
 options 	COMPAT_LINUX	# binary compatibility with Linux
 #options 	COMPAT_FREEBSD	# binary compatibility with FreeBSD
 #options 	COMPAT_NDIS	# NDIS network driver

Index: src/sys/arch/i386/conf/XEN3_DOM0
diff -u src/sys/arch/i386/conf/XEN3_DOM0:1.113 src/sys/arch/i386/conf/XEN3_DOM0:1.114
--- src/sys/arch/i386/conf/XEN3_DOM0:1.113	Thu Jun 22 18:14:32 2017
+++ src/sys/arch/i386/conf/XEN3_DOM0	Fri Jul 28 14:13:13 2017
@@ -1,4 +1,4 @@
-#	$NetBSD: XEN3_DOM0,v 1.113 2017/06/22 18:14:32 khorben Exp $
+#	$NetBSD: XEN3_DOM0,v 1.114 2017/07/28 14:13:13 maxv Exp $
 #
 #	XEN3_0: Xen 3.0 domain0 kernel
 
@@ -97,8 +97,8 @@ options 	COMPAT_386BSD_MBRPART # recogni
 #options 	TCP_COMPAT_42	# 4.2BSD TCP/IP bug compat. Not recommended.
 
 options 	COMPAT_OSSAUDIO	# OSS (Voxware) audio driver compatibility
-options 	COMPAT_SVR4	# binary compatibility with SVR4
-options 	COMPAT_IBCS2	# binary compatibility with SCO and ISC
+#options 	COMPAT_SVR4	# binary compatibility with SVR4
+#options 	COMPAT_IBCS2	# binary compatibility with SCO and ISC
 options 	COMPAT_LINUX	# binary compatibility with Linux
 #options 	COMPAT_FREEBSD	# binary compatibility with FreeBSD
 options 	COMPAT_BSDPTY	# /dev/[pt]ty?? ptys.

Index: src/sys/arch/i386/conf/XEN3_DOMU
diff -u src/sys/arch/i386/conf/XEN3_DOMU:1.77 src/sys/arch/i386/conf/XEN3_DOMU:1.78
--- src/sys/arch/i386/conf/XEN3_DOMU:1.77	Sun May 21 06:19:37 2017
+++ src/sys/arch/i386/conf/XEN3_DOMU	Fri Jul 28 14:13:13 2017
@@ -1,4 +1,4 @@
-# $NetBSD: XEN3_DOMU,v 1.77 2017/05/21 06:19:37 pgoyette Exp $
+# $NetBSD: XEN3_DOMU,v 1.78 2017/07/28 14:13:13 maxv Exp $
 
 include 	"arch/xen/conf/std.xen"
 
@@ -81,8 +81,8 @@ options 	COMPAT_386BSD_MBRPART # recogni
 #options 	TCP_COMPAT_42	# 4.2BSD TCP/IP bug compat. Not recommended.
 
 options 	COMPAT_OSSAUDIO	# OSS (Voxware) audio driver compatibility
-options 	COMPAT_SVR4	# binary compatibility with SVR4
-options 	COMPAT_IBCS2	# binary compatibility with SCO and ISC
+#options 	COMPAT_SVR4	# binary compatibility with SVR4
+#options 	COMPAT_IBCS2	# binary compatibility with SCO and ISC
 options 	COMPAT_LINUX	# binary compatibility with Linux
 #options 	COMPAT_FREEBSD	# binary compatibility with FreeBSD
 options 	COMPAT_BSDPTY	# /dev/[pt]ty?? ptys.

CVS commit: src/sys/arch/x86/x86

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 14:13:11 UTC 2017

Modified Files:
src/sys/arch/x86/x86: pmap.c

Log Message:
#if DIAGNOSTIC panic ---> KASSERTMSG


To generate a diff of this commit:
cvs rdiff -u -r1.255 -r1.256 src/sys/arch/x86/x86/pmap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/x86/x86/pmap.c
diff -u src/sys/arch/x86/x86/pmap.c:1.255 src/sys/arch/x86/x86/pmap.c:1.256
--- src/sys/arch/x86/x86/pmap.c:1.255	Sat Jul 22 08:23:19 2017
+++ src/sys/arch/x86/x86/pmap.c	Fri Jul 28 14:13:11 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.c,v 1.255 2017/07/22 08:23:19 maxv Exp $	*/
+/*	$NetBSD: pmap.c,v 1.256 2017/07/28 14:13:11 riastradh Exp $	*/
 
 /*
  * Copyright (c) 2008, 2010, 2016, 2017 The NetBSD Foundation, Inc.
@@ -171,7 +171,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.255 2017/07/22 08:23:19 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.256 2017/07/28 14:13:11 riastradh Exp $");
 
 #include "opt_user_ldt.h"
 #include "opt_lockdebug.h"
@@ -984,15 +984,14 @@ pmap_kenter_pa(vaddr_t va, paddr_t pa, v
 	npte |= protection_codes[prot] | PG_V | pmap_pg_g;
 	npte |= pmap_pat_flags(flags);
 	opte = pmap_pte_testset(pte, npte); /* zap! */
-#if defined(DIAGNOSTIC)
+
 	/*
 	 * XXX: make sure we are not dealing with a large page, since the only
 	 * large pages created are for the kernel image, and they should never
 	 * be kentered.
 	 */
-	if (opte & PG_PS)
-		panic("%s: PG_PS va=%#" PRIxVADDR, __func__, va);
-#endif
+	KASSERTMSG(!(opte & PG_PS), "PG_PS va=%#"PRIxVADDR, va);
+
 	if ((opte & (PG_V | PG_U)) == (PG_V | PG_U)) {
 		/* This should not happen. */
 		printf_nolog("%s: mapping already present\n", __func__);
@@ -3113,10 +3112,7 @@ pmap_zero_page(paddr_t pa)
 	zerova = ci->vpage[VPAGE_ZER];
 	zpte = ci->vpage_pte[VPAGE_ZER];
 
-#ifdef DIAGNOSTIC
-	if (*zpte)
-		panic("pmap_zero_page: lock botch");
-#endif
+	KASSERTMSG(!*zpte, "pmap_zero_page: lock botch");
 
 	pmap_pte_set(zpte, pmap_pa2pte(pa) | pteflags);
 	pmap_pte_flush();
@@ -3394,11 +3390,11 @@ pmap_remove_pte(struct pmap *pmap, struc
 	 * If we are not on a pv_head list - we are done.
 	 */
 	if ((opte & PG_PVLIST) == 0) {
-#if defined(DIAGNOSTIC) && !defined(DOM0OPS)
-		if (PHYS_TO_VM_PAGE(pmap_pte2pa(opte)) != NULL ||
-		pmap_pv_tracked(pmap_pte2pa(opte)) != NULL)
-			panic("%s: managed or pv-tracked page"
-			" without PG_PVLIST for %#"PRIxVADDR, __func__, va);
+#ifndef DOM0OPS
+		KASSERTMSG((PHYS_TO_VM_PAGE(pmap_pte2pa(opte)) == NULL),
+		"managed page without PG_PVLIST for %#"PRIxVADDR, va);
+		KASSERTMSG((pmap_pv_tracked(pmap_pte2pa(opte)) == NULL),
+		"pv-tracked page without PG_PVLIST for %#"PRIxVADDR, va);
 #endif
 		return true;
 	}

CVS commit: src/sys/arch/x86/x86

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 14:12:26 UTC 2017

Modified Files:
src/sys/arch/x86/x86: cpu.c

Log Message:
cpu_trace is no more, remove vestige of it that broke ALL kernel.


To generate a diff of this commit:
cvs rdiff -u -r1.131 -r1.132 src/sys/arch/x86/x86/cpu.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/x86/x86/cpu.c
diff -u src/sys/arch/x86/x86/cpu.c:1.131 src/sys/arch/x86/x86/cpu.c:1.132
--- src/sys/arch/x86/x86/cpu.c:1.131	Sat Jun 10 05:31:34 2017
+++ src/sys/arch/x86/x86/cpu.c	Fri Jul 28 14:12:26 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: cpu.c,v 1.131 2017/06/10 05:31:34 pgoyette Exp $	*/
+/*	$NetBSD: cpu.c,v 1.132 2017/07/28 14:12:26 riastradh Exp $	*/
 
 /*-
  * Copyright (c) 2000-2012 NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: cpu.c,v 1.131 2017/06/10 05:31:34 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cpu.c,v 1.132 2017/07/28 14:12:26 riastradh Exp $");
 
 #include "opt_ddb.h"
 #include "opt_mpbios.h"		/* for MPDEBUG */
@@ -724,15 +724,6 @@ cpu_start_secondary(struct cpu_info *ci)
 	KASSERT(cpu_starting == NULL);
 	cpu_starting = ci;
 	for (i = 10; (!(ci->ci_flags & CPUF_PRESENT)) && i > 0; i--) {
-#ifdef MPDEBUG
-		extern int cpu_trace[3];
-		static int otrace[3];
-		if (memcmp(otrace, cpu_trace, sizeof(otrace)) != 0) {
-			aprint_debug_dev(ci->ci_dev, "trace %02x %02x %02x\n",
-			cpu_trace[0], cpu_trace[1], cpu_trace[2]);
-			memcpy(otrace, cpu_trace, sizeof(otrace));
-		}
-#endif
 		i8254_delay(10);
 	}

CVS commit: src/sys/arch/i386/conf

2017-07-28 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Fri Jul 28 13:59:07 UTC 2017

Modified Files:
src/sys/arch/i386/conf: GENERIC

Log Message:
Disable vm86 by default. The use case is limited, and the potential for
damage is too high.

This code is fragile, and relies on a certain number of assumptions, some
of which are not be totally true. For example, it relies on the fact that
a 16bit process cannot perform a syscall, but verily it can. The slighest
confusion in the trap frame can lead to ring0 exploits. Also, I'm not
convinced that it interacts well with the compatibility layers.


To generate a diff of this commit:
cvs rdiff -u -r1.1157 -r1.1158 src/sys/arch/i386/conf/GENERIC

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/i386/conf/GENERIC
diff -u src/sys/arch/i386/conf/GENERIC:1.1157 src/sys/arch/i386/conf/GENERIC:1.1158
--- src/sys/arch/i386/conf/GENERIC:1.1157	Wed Jul 12 17:40:34 2017
+++ src/sys/arch/i386/conf/GENERIC	Fri Jul 28 13:59:07 2017
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC,v 1.1157 2017/07/12 17:40:34 maxv Exp $
+# $NetBSD: GENERIC,v 1.1158 2017/07/28 13:59:07 maxv Exp $
 #
 # GENERIC machine description file
 #
@@ -22,12 +22,12 @@ include 	"arch/i386/conf/std.i386"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident		"GENERIC-$Revision: 1.1157 $"
+#ident		"GENERIC-$Revision: 1.1158 $"
 
 maxusers	64		# estimated number of users
 
 # CPU-related options.
-options 	VM86		# virtual 8086 emulation
+#options 	VM86		# virtual 8086 emulation
 options 	USER_LDT	# user-settable LDT; used by WINE
 #options 	PAE		# PAE mode (36 bits physical addressing)

CVS commit: src/sys/altq

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 13:58:47 UTC 2017

Modified Files:
src/sys/altq: altq_wfq.c

Log Message:
Reject negative indices.

(Would be nice to change the types too, and it's *probably* safe to
replace int by u_int, but I'm reluctant to touch the ioctl
definitions without at least a modicum more thought.  Also one of
them is a u_long, because why not?)

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/sys/altq/altq_wfq.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/altq/altq_wfq.c
diff -u src/sys/altq/altq_wfq.c:1.21 src/sys/altq/altq_wfq.c:1.22
--- src/sys/altq/altq_wfq.c:1.21	Wed Apr 20 08:58:48 2016
+++ src/sys/altq/altq_wfq.c	Fri Jul 28 13:58:47 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_wfq.c,v 1.21 2016/04/20 08:58:48 knakahara Exp $	*/
+/*	$NetBSD: altq_wfq.c,v 1.22 2017/07/28 13:58:47 riastradh Exp $	*/
 /*	$KAME: altq_wfq.c,v 1.14 2005/04/13 03:44:25 suz Exp $	*/
 
 /*
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: altq_wfq.c,v 1.21 2016/04/20 08:58:48 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_wfq.c,v 1.22 2017/07/28 13:58:47 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@@ -517,14 +517,15 @@ wfq_setweight(struct wfq_setweight *swp)
 	wfq *queue;
 	int old;
 
-	if (swp->weight < 0) {
-		printf("set weight in natural number\n");
+	if (swp->weight < 0)
 		return (EINVAL);
-	}
 
 	if ((wfqp = altq_lookup(swp->iface.wfq_ifacename, ALTQT_WFQ)) == NULL)
 		return (EBADF);
 
+	if (swp->qid < 0 || swp->qid >= wfqp->nums)
+		return (EINVAL);
+
 	queue = >queue[swp->qid];
 	old = queue->weight;
 	queue->weight = swp->weight;
@@ -543,7 +544,7 @@ wfq_getstats(struct wfq_getstats *gsp)
 	if ((wfqp = altq_lookup(gsp->iface.wfq_ifacename, ALTQT_WFQ)) == NULL)
 		return (EBADF);
 
-	if (gsp->qid >= wfqp->nums)
+	if (gsp->qid < 0 || gsp->qid >= wfqp->nums)
 		return (EINVAL);
 
 	queue = >queue[gsp->qid];

CVS commit: src/sys/altq

2017-07-28 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Fri Jul 28 13:53:17 UTC 2017

Modified Files:
src/sys/altq: altq_cbq.c altq_hfsc.c altq_jobs.c altq_priq.c

Log Message:
Zero buffers copied to userland to avoid stack disclosure.

>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 src/sys/altq/altq_cbq.c
cvs rdiff -u -r1.26 -r1.27 src/sys/altq/altq_hfsc.c
cvs rdiff -u -r1.10 -r1.11 src/sys/altq/altq_jobs.c
cvs rdiff -u -r1.23 -r1.24 src/sys/altq/altq_priq.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/altq/altq_cbq.c
diff -u src/sys/altq/altq_cbq.c:1.30 src/sys/altq/altq_cbq.c:1.31
--- src/sys/altq/altq_cbq.c:1.30	Mon Jun 20 08:30:58 2016
+++ src/sys/altq/altq_cbq.c	Fri Jul 28 13:53:17 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_cbq.c,v 1.30 2016/06/20 08:30:58 knakahara Exp $	*/
+/*	$NetBSD: altq_cbq.c,v 1.31 2017/07/28 13:53:17 riastradh Exp $	*/
 /*	$KAME: altq_cbq.c,v 1.21 2005/04/13 03:44:24 suz Exp $	*/
 
 /*
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.30 2016/06/20 08:30:58 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.31 2017/07/28 13:53:17 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@@ -471,6 +471,7 @@ cbq_getqstats(struct pf_altq *a, void *u
 	if (*nbytes < sizeof(stats))
 		return (EINVAL);
 
+	memset(, 0, sizeof(stats));
 	get_class_stats(, cl);
 
 	if ((error = copyout((void *), ubuf, sizeof(stats))) != 0)
@@ -880,6 +881,7 @@ cbq_getstats(struct cbq_getstats *gsp)
 			if (++i >= CBQ_MAX_CLASSES)
 goto out;
 
+		memset(, 0, sizeof(stats));
 		get_class_stats(, cl);
 		stats.handle = cl->stats_.handle;
 

Index: src/sys/altq/altq_hfsc.c
diff -u src/sys/altq/altq_hfsc.c:1.26 src/sys/altq/altq_hfsc.c:1.27
--- src/sys/altq/altq_hfsc.c:1.26	Wed Apr 20 08:58:48 2016
+++ src/sys/altq/altq_hfsc.c	Fri Jul 28 13:53:17 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_hfsc.c,v 1.26 2016/04/20 08:58:48 knakahara Exp $	*/
+/*	$NetBSD: altq_hfsc.c,v 1.27 2017/07/28 13:53:17 riastradh Exp $	*/
 /*	$KAME: altq_hfsc.c,v 1.26 2005/04/13 03:44:24 suz Exp $	*/
 
 /*
@@ -43,7 +43,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.26 2016/04/20 08:58:48 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.27 2017/07/28 13:53:17 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@@ -312,6 +312,7 @@ hfsc_getqstats(struct pf_altq *a, void *
 	if (*nbytes < sizeof(stats))
 		return (EINVAL);
 
+	memset(, 0, sizeof(stats));
 	get_class_stats(, cl);
 
 	if ((error = copyout((void *), ubuf, sizeof(stats))) != 0)

Index: src/sys/altq/altq_jobs.c
diff -u src/sys/altq/altq_jobs.c:1.10 src/sys/altq/altq_jobs.c:1.11
--- src/sys/altq/altq_jobs.c:1.10	Mon Nov 21 07:15:36 2016
+++ src/sys/altq/altq_jobs.c	Fri Jul 28 13:53:17 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_jobs.c,v 1.10 2016/11/21 07:15:36 dholland Exp $	*/
+/*	$NetBSD: altq_jobs.c,v 1.11 2017/07/28 13:53:17 riastradh Exp $	*/
 /*	$KAME: altq_jobs.c,v 1.11 2005/04/13 03:44:25 suz Exp $	*/
 /*
  * Copyright (c) 2001, the Rector and Board of Visitors of the
@@ -59,7 +59,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: altq_jobs.c,v 1.10 2016/11/21 07:15:36 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_jobs.c,v 1.11 2017/07/28 13:53:17 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@@ -2110,10 +2110,9 @@ jobscmd_class_stats(struct jobs_class_st
 	usp = ap->stats;
 	for (pri = 0; pri <= jif->jif_maxpri; pri++) {
 		cl = jif->jif_classes[pri];
+		(void)memset(, 0, sizeof(stats));
 		if (cl != NULL)
 			get_class_stats(, cl);
-		else
-			(void)memset(, 0, sizeof(stats));
 		if ((error = copyout((void *), (void *)usp++,
  sizeof(stats))) != 0)
 			return (error);

Index: src/sys/altq/altq_priq.c
diff -u src/sys/altq/altq_priq.c:1.23 src/sys/altq/altq_priq.c:1.24
--- src/sys/altq/altq_priq.c:1.23	Wed Apr 20 08:58:48 2016
+++ src/sys/altq/altq_priq.c	Fri Jul 28 13:53:17 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_priq.c,v 1.23 2016/04/20 08:58:48 knakahara Exp $	*/
+/*	$NetBSD: altq_priq.c,v 1.24 2017/07/28 13:53:17 riastradh Exp $	*/
 /*	$KAME: altq_priq.c,v 1.13 2005/04/13 03:44:25 suz Exp $	*/
 /*
  * Copyright (C) 2000-2003
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: altq_priq.c,v 1.23 2016/04/20 08:58:48 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_priq.c,v 1.24 2017/07/28 13:53:17 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@@ -219,6 +219,7 @@ priq_getqstats(struct pf_altq *a, void *
 	if (*nbytes < sizeof(stats))
 		return (EINVAL);
 
+	memset(, 0, sizeof(stats));
 	get_class_stats(, cl);
 
 	if ((error = copyout((void *), ubuf, sizeof(stats))) != 0)

CVS commit: src/sys/dev/usb

2017-07-28 Thread Nick Hudson 
Module Name:src
Committed By:   skrll
Date:   Fri Jul 28 13:23:01 UTC 2017

Modified Files:
src/sys/dev/usb: if_ural.c

Log Message:
Free the RX list if ural_alloc_rx_list fails part way through.

Reported by Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 src/sys/dev/usb/if_ural.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/usb/if_ural.c
diff -u src/sys/dev/usb/if_ural.c:1.51 src/sys/dev/usb/if_ural.c:1.52
--- src/sys/dev/usb/if_ural.c:1.51	Fri Nov 25 12:56:29 2016
+++ src/sys/dev/usb/if_ural.c	Fri Jul 28 13:23:01 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ural.c,v 1.51 2016/11/25 12:56:29 skrll Exp $ */
+/*	$NetBSD: if_ural.c,v 1.52 2017/07/28 13:23:01 skrll Exp $ */
 /*	$FreeBSD: /repoman/r/ncvs/src/sys/dev/usb/if_ural.c,v 1.40 2006/06/02 23:14:40 sam Exp $	*/
 
 /*-
@@ -24,7 +24,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_ural.c,v 1.51 2016/11/25 12:56:29 skrll Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ural.c,v 1.52 2017/07/28 13:23:01 skrll Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_usb.h"
@@ -652,7 +652,7 @@ ural_alloc_rx_list(struct ural_softc *sc
 
 	return 0;
 
-fail:	ural_free_tx_list(sc);
+fail:	ural_free_rx_list(sc);
 	return error;
 }

CVS commit: src/sys/kern

2017-07-28 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Fri Jul 28 12:28:48 UTC 2017

Modified Files:
src/sys/kern: kern_malloc.c

Log Message:
Avoid integer overflow in kern_malloc(). Reported by Ilja Van Sprundel.
XXX Time to kill malloc() completely!


To generate a diff of this commit:
cvs rdiff -u -r1.145 -r1.146 src/sys/kern/kern_malloc.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/kern_malloc.c
diff -u src/sys/kern/kern_malloc.c:1.145 src/sys/kern/kern_malloc.c:1.146
--- src/sys/kern/kern_malloc.c:1.145	Fri Feb  6 18:21:29 2015
+++ src/sys/kern/kern_malloc.c	Fri Jul 28 12:28:48 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_malloc.c,v 1.145 2015/02/06 18:21:29 maxv Exp $	*/
+/*	$NetBSD: kern_malloc.c,v 1.146 2017/07/28 12:28:48 martin Exp $	*/
 
 /*
  * Copyright (c) 1987, 1991, 1993
@@ -70,7 +70,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.145 2015/02/06 18:21:29 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.146 2017/07/28 12:28:48 martin Exp $");
 
 #include 
 #include 
@@ -105,7 +105,10 @@ kern_malloc(unsigned long size, int flag
 	void *p;
 
 	if (size >= PAGE_SIZE) {
-		allocsize = PAGE_SIZE + size; /* for page alignment */
+		if (size > (ULONG_MAX-PAGE_SIZE))
+			allocsize = ULONG_MAX;	/* this will fail later */
+		else
+			allocsize = PAGE_SIZE + size; /* for page alignment */
 		hdroffset = PAGE_SIZE - sizeof(struct malloc_header);
 	} else {
 		allocsize = sizeof(struct malloc_header) + size;

CVS commit: src/sys/dev/pci

2017-07-28 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Fri Jul 28 10:34:58 UTC 2017

Modified Files:
src/sys/dev/pci: if_wm.c

Log Message:
add comment about confusing wm_rxeof() calling.

pointed out by msaitoh@n.o.


To generate a diff of this commit:
cvs rdiff -u -r1.535 -r1.536 src/sys/dev/pci/if_wm.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/pci/if_wm.c
diff -u src/sys/dev/pci/if_wm.c:1.535 src/sys/dev/pci/if_wm.c:1.536
--- src/sys/dev/pci/if_wm.c:1.535	Fri Jul 28 10:21:10 2017
+++ src/sys/dev/pci/if_wm.c	Fri Jul 28 10:34:58 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_wm.c,v 1.535 2017/07/28 10:21:10 msaitoh Exp $	*/
+/*	$NetBSD: if_wm.c,v 1.536 2017/07/28 10:34:58 knakahara Exp $	*/
 
 /*
  * Copyright (c) 2001, 2002, 2003, 2004 Wasabi Systems, Inc.
@@ -83,7 +83,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_wm.c,v 1.535 2017/07/28 10:21:10 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wm.c,v 1.536 2017/07/28 10:34:58 knakahara Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_net_mpsafe.h"
@@ -8805,6 +8805,11 @@ wm_intr_legacy(void *arg)
 			WM_Q_EVCNT_INCR(rxq, rxintr);
 		}
 #endif
+		/*
+		 * wm_rxeof() does *not* call upper layer functions directly,
+		 * as if_percpuq_enqueue() just call softint_schedule().
+		 * So, we can call wm_rxeof() in interrupt context.
+		 */
 		wm_rxeof(rxq, UINT_MAX);
 
 		mutex_exit(rxq->rxq_lock);

CVS commit: src/sys/dev/pci

2017-07-28 Thread SAITOH Masanobu 
Module Name:src
Committed By:   msaitoh
Date:   Fri Jul 28 10:21:10 UTC 2017

Modified Files:
src/sys/dev/pci: if_wm.c

Log Message:
 Check some wm_nvm_read()'s return vale.


To generate a diff of this commit:
cvs rdiff -u -r1.534 -r1.535 src/sys/dev/pci/if_wm.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/pci/if_wm.c
diff -u src/sys/dev/pci/if_wm.c:1.534 src/sys/dev/pci/if_wm.c:1.535
--- src/sys/dev/pci/if_wm.c:1.534	Fri Jul 28 09:12:40 2017
+++ src/sys/dev/pci/if_wm.c	Fri Jul 28 10:21:10 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_wm.c,v 1.534 2017/07/28 09:12:40 msaitoh Exp $	*/
+/*	$NetBSD: if_wm.c,v 1.535 2017/07/28 10:21:10 msaitoh Exp $	*/
 
 /*
  * Copyright (c) 2001, 2002, 2003, 2004 Wasabi Systems, Inc.
@@ -83,7 +83,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_wm.c,v 1.534 2017/07/28 09:12:40 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wm.c,v 1.535 2017/07/28 10:21:10 msaitoh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_net_mpsafe.h"
@@ -11598,7 +11598,10 @@ wm_nvm_set_addrbits_size_eecd(struct wm_
 	case WM_T_82547_2:
 		/* Set dummy value to access EEPROM */
 		sc->sc_nvm_wordsize = 64;
-		wm_nvm_read(sc, NVM_OFF_EEPROM_SIZE, 1, );
+		if (wm_nvm_read(sc, NVM_OFF_EEPROM_SIZE, 1, ) != 0) {
+			aprint_error_dev(sc->sc_dev,
+			"%s: failed to read EEPROM size\n", __func__);
+		}
 		reg = data;
 		size = __SHIFTOUT(reg, EECD_EE_SIZE_EX_MASK);
 		if (size == 0)
@@ -12483,9 +12486,8 @@ wm_nvm_version(struct wm_softc *sc)
 	 * Qemu's e1000e emulation (82574L)'s SPI has only 64 words.
 	 * I've never seen on real 82574 hardware with such small SPI ROM.
 	 */
-	if (sc->sc_nvm_wordsize >= NVM_OFF_IMAGE_UID1)
-		wm_nvm_read(sc, NVM_OFF_IMAGE_UID1, 1, );
-	else
+	if ((sc->sc_nvm_wordsize < NVM_OFF_IMAGE_UID1)
+	|| (wm_nvm_read(sc, NVM_OFF_IMAGE_UID1, 1, ) != 0))
 		have_uid = false;
 
 	switch (sc->sc_type) {
@@ -12522,8 +12524,8 @@ wm_nvm_version(struct wm_softc *sc)
 	default:
 		return;
 	}
-	if (check_version) {
-		wm_nvm_read(sc, NVM_OFF_VERSION, 1, _data);
+	if (check_version
+	&& (wm_nvm_read(sc, NVM_OFF_VERSION, 1, _data) == 0)) {
 		major = (nvm_data & NVM_MAJOR_MASK) >> NVM_MAJOR_SHIFT;
 		if (have_build || ((nvm_data & 0x0f00) != 0x)) {
 			minor = (nvm_data & NVM_MINOR_MASK) >> NVM_MINOR_SHIFT;
@@ -12547,14 +12549,16 @@ printver:
 	}
 
 	/* Assume the Option ROM area is at avove NVM_SIZE */
-	if ((sc->sc_nvm_wordsize >= NVM_SIZE) && check_optionrom) {
-		wm_nvm_read(sc, NVM_OFF_COMB_VER_PTR, 1, );
+	if ((sc->sc_nvm_wordsize >= NVM_SIZE) && check_optionrom
+	&& (wm_nvm_read(sc, NVM_OFF_COMB_VER_PTR, 1, ) == 0)) {
 		/* Option ROM Version */
 		if ((off != 0x) && (off != 0x)) {
+			int rv;
+
 			off += NVM_COMBO_VER_OFF;
-			wm_nvm_read(sc, off + 1, 1, );
-			wm_nvm_read(sc, off, 1, );
-			if ((uid0 != 0) && (uid0 != 0x)
+			rv = wm_nvm_read(sc, off + 1, 1, );
+			rv |= wm_nvm_read(sc, off, 1, );
+			if ((rv == 0) && (uid0 != 0) && (uid0 != 0x)
 			&& (uid1 != 0) && (uid1 != 0x)) {
 /* 16bits */
 major = uid0 >> 8;
@@ -12566,10 +12570,8 @@ printver:
 		}
 	}
 
-	if (have_uid) {
-		wm_nvm_read(sc, NVM_OFF_IMAGE_UID0, 1, );
+	if (have_uid && (wm_nvm_read(sc, NVM_OFF_IMAGE_UID0, 1, ) == 0))
 		aprint_verbose(", Image Unique ID %08x", (uid1 << 16) | uid0);
-	}
 }
 
 /*

CVS commit: src/sys/dev/pci

2017-07-28 Thread SAITOH Masanobu 
Module Name:src
Committed By:   msaitoh
Date:   Fri Jul 28 09:12:40 UTC 2017

Modified Files:
src/sys/dev/pci: if_wm.c

Log Message:
 Qemu's e1000e emulation (82574L)'s SPI has only 64 words. I've never seen on
real 82574 hardware with such small SPI ROM. Check sc->sc_nvm_wordsize before
accessing higer address words to prevent timeout.


To generate a diff of this commit:
cvs rdiff -u -r1.533 -r1.534 src/sys/dev/pci/if_wm.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/pci/if_wm.c
diff -u src/sys/dev/pci/if_wm.c:1.533 src/sys/dev/pci/if_wm.c:1.534
--- src/sys/dev/pci/if_wm.c:1.533	Thu Jul 27 03:21:42 2017
+++ src/sys/dev/pci/if_wm.c	Fri Jul 28 09:12:40 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_wm.c,v 1.533 2017/07/27 03:21:42 msaitoh Exp $	*/
+/*	$NetBSD: if_wm.c,v 1.534 2017/07/28 09:12:40 msaitoh Exp $	*/
 
 /*
  * Copyright (c) 2001, 2002, 2003, 2004 Wasabi Systems, Inc.
@@ -83,7 +83,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_wm.c,v 1.533 2017/07/27 03:21:42 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wm.c,v 1.534 2017/07/28 09:12:40 msaitoh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_net_mpsafe.h"
@@ -12477,7 +12477,17 @@ wm_nvm_version(struct wm_softc *sc)
 	 *		0x2013	2.1.3?
 	 *	82583	0x10a0	1.10.0? (document says it's default vaule)
 	 */
-	wm_nvm_read(sc, NVM_OFF_IMAGE_UID1, 1, );
+
+	/*
+	 * XXX
+	 * Qemu's e1000e emulation (82574L)'s SPI has only 64 words.
+	 * I've never seen on real 82574 hardware with such small SPI ROM.
+	 */
+	if (sc->sc_nvm_wordsize >= NVM_OFF_IMAGE_UID1)
+		wm_nvm_read(sc, NVM_OFF_IMAGE_UID1, 1, );
+	else
+		have_uid = false;
+
 	switch (sc->sc_type) {
 	case WM_T_82571:
 	case WM_T_82572:
@@ -12535,7 +12545,9 @@ printver:
 			aprint_verbose(".%d", build);
 		}
 	}
-	if (check_optionrom) {
+
+	/* Assume the Option ROM area is at avove NVM_SIZE */
+	if ((sc->sc_nvm_wordsize >= NVM_SIZE) && check_optionrom) {
 		wm_nvm_read(sc, NVM_OFF_COMB_VER_PTR, 1, );
 		/* Option ROM Version */
 		if ((off != 0x) && (off != 0x)) {

CVS commit: src/sys/arch/xen/xen

2017-07-28 Thread Cherry G. Mathew 
Module Name:src
Committed By:   cherry
Date:   Fri Jul 28 07:42:41 UTC 2017

Modified Files:
src/sys/arch/xen/xen: pci_intr_machdep.c

Log Message:
APIC related macros are mixed with IOAPIC related ones.
This needs separation.

Until then, band-aid it.

This fixes pci-passthrough build failures on XEN3_DOMU pointed out by
msaitoh@


To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 src/sys/arch/xen/xen/pci_intr_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/xen/xen/pci_intr_machdep.c
diff -u src/sys/arch/xen/xen/pci_intr_machdep.c:1.19 src/sys/arch/xen/xen/pci_intr_machdep.c:1.20
--- src/sys/arch/xen/xen/pci_intr_machdep.c:1.19	Sun Jul 16 14:02:48 2017
+++ src/sys/arch/xen/xen/pci_intr_machdep.c	Fri Jul 28 07:42:41 2017
@@ -1,4 +1,4 @@
-/*  $NetBSD: pci_intr_machdep.c,v 1.19 2017/07/16 14:02:48 cherry Exp $  */
+/*  $NetBSD: pci_intr_machdep.c,v 1.20 2017/07/28 07:42:41 cherry Exp $  */
 
 /*
  * Copyright (c) 2005 Manuel Bouyer.
@@ -26,7 +26,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: pci_intr_machdep.c,v 1.19 2017/07/16 14:02:48 cherry Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pci_intr_machdep.c,v 1.20 2017/07/28 07:42:41 cherry Exp $");
 
 #include 
 #include 
@@ -61,6 +61,15 @@ __KERNEL_RCSID(0, "$NetBSD: pci_intr_mac
 #include 
 #endif
 
+/* XXX: cherry@: Hack - this is a symptom of lapic vs. ioapic
+ * needing more code separation.
+ */
+#if NIOAPIC > 0
+#define IRQ_LEGACY_IRQ(_irq) APIC_IRQ_LEGACY_IRQ(_irq)
+#else
+#define IRQ_LEGACY_IRQ(_irq) (_irq & 0xff)
+#endif
+
 int
 pci_intr_map(const struct pci_attach_args *pa, pci_intr_handle_t *ihp)
 {
@@ -157,7 +166,7 @@ pci_intr_string(pci_chipset_tag_t pc, pc
 {
 	int evtch;
 
-	evtch = get_pirq_to_evtch(APIC_IRQ_LEGACY_IRQ(ih));
+	evtch = get_pirq_to_evtch(IRQ_LEGACY_IRQ(ih));
 #if NIOAPIC > 0
 	struct ioapic_softc *pic;
 	if (ih & APIC_INT_VIA_APIC) {
@@ -217,8 +226,8 @@ pci_intr_establish(pci_chipset_tag_t pci
 #endif
 		snprintf(evname, sizeof(evname), "irq%"PRIu64, intrh);
 
-	return (void *)pirq_establish(APIC_IRQ_LEGACY_IRQ(intrh),
-	get_pirq_to_evtch(APIC_IRQ_LEGACY_IRQ(intrh)), func, arg, level, evname);
+	return (void *)pirq_establish(IRQ_LEGACY_IRQ(intrh),
+	get_pirq_to_evtch(IRQ_LEGACY_IRQ(intrh)), func, arg, level, evname);
 }
 
 void